Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-03-2023 09:28
General
-
Target
5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe
-
Size
1.4MB
-
MD5
cc66bf4d2675bc8ab171413f9a997875
-
SHA1
02c1294dae8b6c41c16405dd1aac5543f9f46d25
-
SHA256
5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420
-
SHA512
1dada32bb3862eaf5600dabca5542718f2e4d0e976edadaeccda8e8c4bf3528c33f0f63e56b440433949cb8de499da5e452b81fd8c7fb651c8752a22134fc8cc
-
SSDEEP
24576:DVYkTpy0OVnKhXJ04BJFKA3wRKB7a9WscrmCqeQrEn65h/tEW:RpJOl8xFMRy/SeQg65l2W
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 10 IoCs
Processes:
5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exedescription ioc Process File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe File opened for modification C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid Process 4420 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133221401185338610" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
chrome.exechrome.exepid Process 2680 chrome.exe 2680 chrome.exe 1552 chrome.exe 1552 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid Process 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exetaskkill.exechrome.exedescription pid Process Token: SeCreateTokenPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeAssignPrimaryTokenPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeLockMemoryPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeIncreaseQuotaPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeMachineAccountPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeTcbPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeSecurityPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeTakeOwnershipPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeLoadDriverPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeSystemProfilePrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeSystemtimePrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeProfSingleProcessPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeIncBasePriorityPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeCreatePagefilePrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeCreatePermanentPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeBackupPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeRestorePrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeShutdownPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeDebugPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeAuditPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeSystemEnvironmentPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeChangeNotifyPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeRemoteShutdownPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeUndockPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeSyncAgentPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeEnableDelegationPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeManageVolumePrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeImpersonatePrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeCreateGlobalPrivilege 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: 31 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: 32 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: 33 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: 34 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: 35 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe Token: SeDebugPrivilege 4420 taskkill.exe Token: SeShutdownPrivilege 2680 chrome.exe Token: SeCreatePagefilePrivilege 2680 chrome.exe Token: SeShutdownPrivilege 2680 chrome.exe Token: SeCreatePagefilePrivilege 2680 chrome.exe Token: SeShutdownPrivilege 2680 chrome.exe Token: SeCreatePagefilePrivilege 2680 chrome.exe Token: SeShutdownPrivilege 2680 chrome.exe Token: SeCreatePagefilePrivilege 2680 chrome.exe Token: SeShutdownPrivilege 2680 chrome.exe Token: SeCreatePagefilePrivilege 2680 chrome.exe Token: SeShutdownPrivilege 2680 chrome.exe Token: SeCreatePagefilePrivilege 2680 chrome.exe Token: SeShutdownPrivilege 2680 chrome.exe Token: SeCreatePagefilePrivilege 2680 chrome.exe Token: SeShutdownPrivilege 2680 chrome.exe Token: SeCreatePagefilePrivilege 2680 chrome.exe Token: SeShutdownPrivilege 2680 chrome.exe Token: SeCreatePagefilePrivilege 2680 chrome.exe Token: SeShutdownPrivilege 2680 chrome.exe Token: SeCreatePagefilePrivilege 2680 chrome.exe Token: SeShutdownPrivilege 2680 chrome.exe Token: SeCreatePagefilePrivilege 2680 chrome.exe Token: SeShutdownPrivilege 2680 chrome.exe Token: SeCreatePagefilePrivilege 2680 chrome.exe Token: SeShutdownPrivilege 2680 chrome.exe Token: SeCreatePagefilePrivilege 2680 chrome.exe Token: SeShutdownPrivilege 2680 chrome.exe Token: SeCreatePagefilePrivilege 2680 chrome.exe Token: SeShutdownPrivilege 2680 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid Process 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid Process 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe 2680 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.execmd.exechrome.exedescription pid Process procid_target PID 1932 wrote to memory of 5028 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe 85 PID 1932 wrote to memory of 5028 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe 85 PID 1932 wrote to memory of 5028 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe 85 PID 5028 wrote to memory of 4420 5028 cmd.exe 87 PID 5028 wrote to memory of 4420 5028 cmd.exe 87 PID 5028 wrote to memory of 4420 5028 cmd.exe 87 PID 1932 wrote to memory of 2680 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe 92 PID 1932 wrote to memory of 2680 1932 5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe 92 PID 2680 wrote to memory of 2400 2680 chrome.exe 93 PID 2680 wrote to memory of 2400 2680 chrome.exe 93 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 4512 2680 chrome.exe 94 PID 2680 wrote to memory of 3320 2680 chrome.exe 95 PID 2680 wrote to memory of 3320 2680 chrome.exe 95 PID 2680 wrote to memory of 1660 2680 chrome.exe 96 PID 2680 wrote to memory of 1660 2680 chrome.exe 96 PID 2680 wrote to memory of 1660 2680 chrome.exe 96 PID 2680 wrote to memory of 1660 2680 chrome.exe 96 PID 2680 wrote to memory of 1660 2680 chrome.exe 96 PID 2680 wrote to memory of 1660 2680 chrome.exe 96 PID 2680 wrote to memory of 1660 2680 chrome.exe 96 PID 2680 wrote to memory of 1660 2680 chrome.exe 96 PID 2680 wrote to memory of 1660 2680 chrome.exe 96 PID 2680 wrote to memory of 1660 2680 chrome.exe 96 PID 2680 wrote to memory of 1660 2680 chrome.exe 96 PID 2680 wrote to memory of 1660 2680 chrome.exe 96 PID 2680 wrote to memory of 1660 2680 chrome.exe 96 PID 2680 wrote to memory of 1660 2680 chrome.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe"C:\Users\Admin\AppData\Local\Temp\5a3f060fb0194178fc51aedc00f724f50dc130d5838b3e2a32e89a5c4be70420.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff804699758,0x7ff804699768,0x7ff8046997783⤵PID:2400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1428 --field-trial-handle=1824,i,8568364721274648495,12751170165512224097,131072 /prefetch:23⤵PID:4512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1824,i,8568364721274648495,12751170165512224097,131072 /prefetch:83⤵PID:3320
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1824,i,8568364721274648495,12751170165512224097,131072 /prefetch:83⤵PID:1660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3192 --field-trial-handle=1824,i,8568364721274648495,12751170165512224097,131072 /prefetch:13⤵PID:4324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3240 --field-trial-handle=1824,i,8568364721274648495,12751170165512224097,131072 /prefetch:13⤵PID:4344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3812 --field-trial-handle=1824,i,8568364721274648495,12751170165512224097,131072 /prefetch:13⤵PID:1284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4740 --field-trial-handle=1824,i,8568364721274648495,12751170165512224097,131072 /prefetch:13⤵PID:4196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4936 --field-trial-handle=1824,i,8568364721274648495,12751170165512224097,131072 /prefetch:83⤵PID:4040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4716 --field-trial-handle=1824,i,8568364721274648495,12751170165512224097,131072 /prefetch:83⤵PID:4776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5016 --field-trial-handle=1824,i,8568364721274648495,12751170165512224097,131072 /prefetch:83⤵PID:3796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 --field-trial-handle=1824,i,8568364721274648495,12751170165512224097,131072 /prefetch:83⤵PID:3492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 --field-trial-handle=1824,i,8568364721274648495,12751170165512224097,131072 /prefetch:83⤵PID:4448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5260 --field-trial-handle=1824,i,8568364721274648495,12751170165512224097,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1552
-
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2040
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
786B
MD59ffe618d587a0685d80e9f8bb7d89d39
SHA18e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12
-
Filesize
6KB
MD5362695f3dd9c02c83039898198484188
SHA185dcacc66a106feca7a94a42fc43e08c806a0322
SHA25640cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca
SHA512a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f
-
Filesize
13KB
MD54ff108e4584780dce15d610c142c3e62
SHA177e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2
-
Filesize
20KB
MD54bbc568e28f11710b76114af70a9c840
SHA10bb2f6b4a0c2d22cda4eecf743cddd9ef2858b6c
SHA2563c621372242f91eb5f89fd52fbdcd6e2907092a16014ce73f751d28b57bb7a61
SHA512c37dca74e99c4a7d7ce04fcf9f77e5e7b84bc395bda5ab290db9dc08823390c280a292f8b9dc331a5bde84a860399f1b96bcb0a5b01b44b36b85900c6c608ce3
-
Filesize
3KB
MD5c31f14d9b1b840e4b9c851cbe843fc8f
SHA1205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4
SHA25603601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54
SHA5122c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa
-
Filesize
84KB
MD5a09e13ee94d51c524b7e2a728c7d4039
SHA10dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a
-
Filesize
604B
MD523231681d1c6f85fa32e725d6d63b19b
SHA1f69315530b49ac743b0e012652a3a5efaed94f17
SHA25603164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA51236860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2
-
Filesize
268B
MD50f26002ee3b4b4440e5949a969ea7503
SHA131fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA5124290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11
-
Filesize
1KB
MD505bfb082915ee2b59a7f32fa3cc79432
SHA1c1acd799ae271bcdde50f30082d25af31c1208c3
SHA25604392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1
SHA5126feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3
-
Filesize
2KB
MD551fbd4fe4c577d721182336bdb4ed433
SHA194304946f537975cb36eb5021d70e5a0d9a947ac
SHA2567b67d03883b26ed3f55447fa37723ca76f80957587edfd9cbc9f01714b45348c
SHA51276b9ac47c6f6c020e8ff16b77ae5630a07eb9f4a3334c0f2112184d731ecb740c234767c414b43ba3414ca802d8a9e44e781c544aed551a21611ac55898bc44f
-
Filesize
874B
MD5ccb8677362f64781e7955bc506f5e084
SHA199cc319ae7b5f922d5ca972c05f5d553cd251dc4
SHA256755cfafeadb20db66d293b665b5d34d24ba6a4bf1c3d8422ef69b35bb85d2869
SHA512349b14a3362b0cd07ce5d010f1bb8c00fd2dc56153278908c84cfb46fb9cb11ee867109d1355c95080796af0c4161a0ff987009a6b4abc99adc027600eb8bb96
-
Filesize
874B
MD54ff444ab818274e281f506c5a390f238
SHA19da2c8a22f77666c25bf74d8de471b4c5b63f58f
SHA256bb953499016df3a265dbaeda12e392df71e1eef0e86abba751c0ce88c0bb3776
SHA512cd8a184eebfe663ade74cafee33dba38c215d80a7b4bd14364e1fd48bbaa13af9958b3cafe5706b088bd8a60de7fbaca092d096ef2880bc84d912d0726e75a76
-
Filesize
874B
MD5e9d8e70f725e067fe4289e31aedc58d3
SHA145f3193e890467a6bb45d2b05753d7494fc62a26
SHA25664b5b6ba107b87b13037ee547958909fa388e308a0a3f0fb91c412d347d04c49
SHA5128e7892c7461bb97cce2f9d184fcf1f391228161729edc6d3d8a5620799c787f0db882e24190358be0e05a6db5bd2036201c8e4051253c9ff45f79b7afd27125a
-
Filesize
874B
MD5e7d6e3518f51489671536d6d9e7dc310
SHA13d524e8a6f2055e2780c5a013f32ca39948eeda4
SHA256585dda1634094c6a39eac04b4e3237e6454d9a7142a751fb13a62a5150ccf1b6
SHA51241710ca55d368239a958f60038c4eff575bf4bb936f8134946673603932297d20b2feab72c28f8dbf5a3a0023b1dadab80b17b7498101b90424fe10dd34feb0f
-
Filesize
6KB
MD57e40fc8732706a8a2d64d1a4831a135d
SHA129c2505122d5207617b5f5d0c0536760fbce4d4f
SHA2563fa891e6439f4db95bb075b68ec97c03398aeb9a79b217b68ae11cdc50d52426
SHA512a9ee741cf3d4c1b6a8d6d0d162261457386280689fdede37454709d2534cb369f8421154f3cbe1db4c45c0ba5ffa91206bfb58df1631694b9403f82fb586b41f
-
Filesize
6KB
MD5b26237422c6b65c255b035860116e5b6
SHA147d14f3298409d49f8ceba01cd8f87e8bfbd2f87
SHA25617eac2ac588cacc97d2844504527eae6de67e746fb0336f0fea7e00662da4131
SHA51244cf945e99cfe22f0c24976ec4156558f2b4e137793757fdbf8999058763b101dd56819e37cf15af157c669654af0fe5b7683401d3233b2219af75db25d960f4
-
Filesize
16KB
MD5ac821ea53c1507f9d1c5ba900bda2bb0
SHA120180a35eb36abb179ccb205ecd4de974c7e2a91
SHA25687dbcf25a4a3b902169a4d330e2abdd36f3c383035dc0113b5991970ca46380f
SHA512661875f18d4ff6717828168cc8f47b203bee8aa4e1bebd401a69fb82b5c3234b27fe7365151fd36226eba42e1aad57e7322fda20192f52a1f86593f4dda6f9e1
-
Filesize
16KB
MD533f8e955a1e08100f68479eb63c73b92
SHA18cce956484b7edf143b03ad03824227b7e511669
SHA2568c1abf85fda1dbce0c97c084a32585d6473e4974766aaa6980b65ad5bc6551c0
SHA512067e780d39c774e848118091a2857c7eda643bd4cff8bf24a038562f03e4ef2d2a4b410c06072ed7aa6aaa9c288b3ae26fd2a9cd1d65b4c52febf08cafaf62e8
-
Filesize
141KB
MD5b7bebbce9c6fca0e287b6db49875ee58
SHA1d8f13f6dc4273816fea9cb0a3f5a5db44023e48a
SHA2565247ec441c6b68567fa3985eb31cad4043b927a962874757fb371a29b720643f
SHA5123f50b3aad361ebe99a7d80dd1e2bfb60aa85190b619da60076cca60749c8e0e6e54b1cfd1b9ae84c1f91564f860406144068d9c0c26b9f3f5070db0a79745a39
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e