Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
11-04-2023 10:44
General
-
Target
c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe
-
Size
1.4MB
-
MD5
301ee946be95d9877f7aaa4dca6114ea
-
SHA1
97fe33abeec9fcf615ddff85d21bb0f1caace0b2
-
SHA256
c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b
-
SHA512
81408ac15c253140634f190fd6e4356253283ac5ec1ead2dcab8b5ad5bd670d0a3fd70b0dc4291e314193242985e484fda71dcd4dd09285a878056bd9a58d5a5
-
SSDEEP
24576:tVYkTpy0OVnKhXJ04BJFKA3wRKB7a9WscrmCqeQrEPG5hMt2W:zpJOl8xFMRy/SeQgu52gW
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 10 IoCs
Processes:
c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exedescription ioc process File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe File opened for modification C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe File created C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3584 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133256906898928366" chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
chrome.exechrome.exepid process 836 chrome.exe 836 chrome.exe 872 chrome.exe 872 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid process 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exetaskkill.exechrome.exedescription pid process Token: SeCreateTokenPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeAssignPrimaryTokenPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeLockMemoryPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeIncreaseQuotaPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeMachineAccountPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeTcbPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeSecurityPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeTakeOwnershipPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeLoadDriverPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeSystemProfilePrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeSystemtimePrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeProfSingleProcessPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeIncBasePriorityPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeCreatePagefilePrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeCreatePermanentPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeBackupPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeRestorePrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeShutdownPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeDebugPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeAuditPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeSystemEnvironmentPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeChangeNotifyPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeRemoteShutdownPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeUndockPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeSyncAgentPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeEnableDelegationPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeManageVolumePrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeImpersonatePrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeCreateGlobalPrivilege 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: 31 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: 32 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: 33 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: 34 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: 35 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe Token: SeDebugPrivilege 3584 taskkill.exe Token: SeShutdownPrivilege 836 chrome.exe Token: SeCreatePagefilePrivilege 836 chrome.exe Token: SeShutdownPrivilege 836 chrome.exe Token: SeCreatePagefilePrivilege 836 chrome.exe Token: SeShutdownPrivilege 836 chrome.exe Token: SeCreatePagefilePrivilege 836 chrome.exe Token: SeShutdownPrivilege 836 chrome.exe Token: SeCreatePagefilePrivilege 836 chrome.exe Token: SeShutdownPrivilege 836 chrome.exe Token: SeCreatePagefilePrivilege 836 chrome.exe Token: SeShutdownPrivilege 836 chrome.exe Token: SeCreatePagefilePrivilege 836 chrome.exe Token: SeShutdownPrivilege 836 chrome.exe Token: SeCreatePagefilePrivilege 836 chrome.exe Token: SeShutdownPrivilege 836 chrome.exe Token: SeCreatePagefilePrivilege 836 chrome.exe Token: SeShutdownPrivilege 836 chrome.exe Token: SeCreatePagefilePrivilege 836 chrome.exe Token: SeShutdownPrivilege 836 chrome.exe Token: SeCreatePagefilePrivilege 836 chrome.exe Token: SeShutdownPrivilege 836 chrome.exe Token: SeCreatePagefilePrivilege 836 chrome.exe Token: SeShutdownPrivilege 836 chrome.exe Token: SeCreatePagefilePrivilege 836 chrome.exe Token: SeShutdownPrivilege 836 chrome.exe Token: SeCreatePagefilePrivilege 836 chrome.exe Token: SeShutdownPrivilege 836 chrome.exe Token: SeCreatePagefilePrivilege 836 chrome.exe Token: SeShutdownPrivilege 836 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid process 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe 836 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.execmd.exechrome.exedescription pid process target process PID 4264 wrote to memory of 992 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe cmd.exe PID 4264 wrote to memory of 992 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe cmd.exe PID 4264 wrote to memory of 992 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe cmd.exe PID 992 wrote to memory of 3584 992 cmd.exe taskkill.exe PID 992 wrote to memory of 3584 992 cmd.exe taskkill.exe PID 992 wrote to memory of 3584 992 cmd.exe taskkill.exe PID 4264 wrote to memory of 836 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe chrome.exe PID 4264 wrote to memory of 836 4264 c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe chrome.exe PID 836 wrote to memory of 4792 836 chrome.exe chrome.exe PID 836 wrote to memory of 4792 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 2564 836 chrome.exe chrome.exe PID 836 wrote to memory of 908 836 chrome.exe chrome.exe PID 836 wrote to memory of 908 836 chrome.exe chrome.exe PID 836 wrote to memory of 3688 836 chrome.exe chrome.exe PID 836 wrote to memory of 3688 836 chrome.exe chrome.exe PID 836 wrote to memory of 3688 836 chrome.exe chrome.exe PID 836 wrote to memory of 3688 836 chrome.exe chrome.exe PID 836 wrote to memory of 3688 836 chrome.exe chrome.exe PID 836 wrote to memory of 3688 836 chrome.exe chrome.exe PID 836 wrote to memory of 3688 836 chrome.exe chrome.exe PID 836 wrote to memory of 3688 836 chrome.exe chrome.exe PID 836 wrote to memory of 3688 836 chrome.exe chrome.exe PID 836 wrote to memory of 3688 836 chrome.exe chrome.exe PID 836 wrote to memory of 3688 836 chrome.exe chrome.exe PID 836 wrote to memory of 3688 836 chrome.exe chrome.exe PID 836 wrote to memory of 3688 836 chrome.exe chrome.exe PID 836 wrote to memory of 3688 836 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe"C:\Users\Admin\AppData\Local\Temp\c3e763ec16dec81e5e19d9bf4079677c99deb2f6d8fed754f537e78481397a9b.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- Suspicious use of WriteProcessMemory
PID:992 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3584 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb2ca9758,0x7ffcb2ca9768,0x7ffcb2ca97783⤵PID:4792
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 --field-trial-handle=1896,i,11310804185733769530,13905865147848196786,131072 /prefetch:23⤵PID:2564
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1896,i,11310804185733769530,13905865147848196786,131072 /prefetch:83⤵PID:908
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2156 --field-trial-handle=1896,i,11310804185733769530,13905865147848196786,131072 /prefetch:83⤵PID:3688
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3172 --field-trial-handle=1896,i,11310804185733769530,13905865147848196786,131072 /prefetch:13⤵PID:4964
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3308 --field-trial-handle=1896,i,11310804185733769530,13905865147848196786,131072 /prefetch:13⤵PID:2060
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3864 --field-trial-handle=1896,i,11310804185733769530,13905865147848196786,131072 /prefetch:13⤵PID:3148
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5088 --field-trial-handle=1896,i,11310804185733769530,13905865147848196786,131072 /prefetch:13⤵PID:3084
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4704 --field-trial-handle=1896,i,11310804185733769530,13905865147848196786,131072 /prefetch:83⤵PID:1504
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5328 --field-trial-handle=1896,i,11310804185733769530,13905865147848196786,131072 /prefetch:83⤵PID:1156
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4768 --field-trial-handle=1896,i,11310804185733769530,13905865147848196786,131072 /prefetch:83⤵PID:4592
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1896,i,11310804185733769530,13905865147848196786,131072 /prefetch:83⤵PID:1668
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 --field-trial-handle=1896,i,11310804185733769530,13905865147848196786,131072 /prefetch:83⤵PID:800
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2944 --field-trial-handle=1896,i,11310804185733769530,13905865147848196786,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:872
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
786B
MD59ffe618d587a0685d80e9f8bb7d89d39
SHA18e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12
-
Filesize
6KB
MD5362695f3dd9c02c83039898198484188
SHA185dcacc66a106feca7a94a42fc43e08c806a0322
SHA25640cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca
SHA512a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f
-
Filesize
13KB
MD54ff108e4584780dce15d610c142c3e62
SHA177e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2
-
Filesize
20KB
MD5791f669a29a97110f111b73d0cc56495
SHA1ca32178278f33d04bf83ac1103ff09cf7c8a4303
SHA256b8c972495575c041be754f35ef89b58167cb37aa7525f3eba6b3535e686a7223
SHA5126cb806498bfcbaa190f186fe7839a14381300fb2f7f492989bd8502035a5b9b480d967c87a1c6b61672297f393bf39de1427c5f8ebf6ea4fb1878a774cedbddb
-
Filesize
3KB
MD5c31f14d9b1b840e4b9c851cbe843fc8f
SHA1205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4
SHA25603601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54
SHA5122c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa
-
Filesize
84KB
MD5a09e13ee94d51c524b7e2a728c7d4039
SHA10dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a
-
Filesize
604B
MD523231681d1c6f85fa32e725d6d63b19b
SHA1f69315530b49ac743b0e012652a3a5efaed94f17
SHA25603164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA51236860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2
-
Filesize
268B
MD50f26002ee3b4b4440e5949a969ea7503
SHA131fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA5124290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11
-
Filesize
1KB
MD505bfb082915ee2b59a7f32fa3cc79432
SHA1c1acd799ae271bcdde50f30082d25af31c1208c3
SHA25604392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1
SHA5126feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3
-
Filesize
1KB
MD53db3456d92d277675550cc14b9f12477
SHA1b5bf997a901800a5967ac3b0b728172c9f52f437
SHA25660dc2704715ef5470942f60cea3b91bfc9dc938256d0e1d927f964f24e9f85d2
SHA5122e78d83dda62658c08ba1cfffc1bf97cb879ec5a1e9fc772a887a8c40a059bf9aca041855bcc289a9bbc6c4208e65d570d60af19b894a151b02ef5ab2b7b2590
-
Filesize
874B
MD56cda7de21e98075869c0779fbc1b4f79
SHA1c44a50a6e337d42645c682d6655429130f7a799d
SHA256c4ade3a87d5b61516300395e0d88f7f7c4c303d937a98a9aed5658185fc1d01e
SHA51283386613e2329526d60d0a2f8f160c51daeab23b5f25df52075bded0aa550fbbf9cbc6c8762ad4811fffc705d0efb2ca8c64f968c87a3c853d101540a4b8c4ad
-
Filesize
874B
MD5a031c06045e770c1a17fc102c655b341
SHA1779d8c085928284a8e838f21d4e9949cee68e58d
SHA25695e9cd84ede817f8598e19178bb26c9a8abfc5cd5c2f869c78b6bbaec59985f4
SHA512f76ea342bbd70a713a6a38d130deff23d5a87c81c6c659ffbb887be2562701b736ca4f82fd5fd54b2d665093a8dcde1551a8700f24e53565abde6beb5a979cb6
-
Filesize
874B
MD5d4d88b36ec96065585aaade1ebe0edc3
SHA19e59bb6cab8a82086ca588d01c7cf78a3b0f50a8
SHA2564c2e15047f95c9dfcfceea5df60f659dcc0f0d96b77e044274c0b1ad8dea8075
SHA512b7c8be220597ef12f6d345b582d6c2d1595631bb202de2c810711954078d4199243abac5cb5b7c8d3eb4575dd909cc1b52f06bf94b07cde8d17e55251855203e
-
Filesize
874B
MD561b5d180f83486ec4979506fff04fc9c
SHA1e616fcc8c396b22cf586529d303ea6b43b11eb3f
SHA2563ccc0883089226b38f092bec54a118013e61cdfeaad7f085d5a94db5cc16fa04
SHA512e4d1f60811924fb96cbd8cd8f7b16c7b25004b384450a3a34f72102e363b7c694a3302ac97d3c94912bb2dbe80a4b3e3d81f75941f00bb20900a49f047b6c559
-
Filesize
6KB
MD50cc01dfedc81945d5c1a29ad4b2b0e81
SHA1c3e9b99c4faaf18e8557d9cd087db3e44dd76424
SHA256ea26a75272fb0147daf432b11a0dd112d52a1d7555a6a3c37a6c929a50e55392
SHA5120c82bf420e799ce69702b81940ee4f1a5303fc7d1fd1f49263fd89072395499a62704eab4240aab2b99da0ebc6b74086902a6ffb864d91551d44d785b036eca7
-
Filesize
6KB
MD543d2003ac5876d448855c894c5d548e1
SHA18a225587eb3dbf75ef75cbfdb2c42f8908fa8923
SHA25661f684bee2ecb2dfc99758ff7366a836510a0e49a8dec1d530f7ae4625c85323
SHA5123a285cc4c99e8dd44ce4f8293744b41ef68c2a54cc5f087d57cc80e910ff4998e814ff3080ddc4fd84a971db27a48af852e97c9b159940dfa3335835c80d02bb
-
Filesize
16KB
MD5ac821ea53c1507f9d1c5ba900bda2bb0
SHA120180a35eb36abb179ccb205ecd4de974c7e2a91
SHA25687dbcf25a4a3b902169a4d330e2abdd36f3c383035dc0113b5991970ca46380f
SHA512661875f18d4ff6717828168cc8f47b203bee8aa4e1bebd401a69fb82b5c3234b27fe7365151fd36226eba42e1aad57e7322fda20192f52a1f86593f4dda6f9e1
-
Filesize
16KB
MD589d1a50e0c0017f439d774b059b34381
SHA1c61fb3bf39a6a2f9a2a6b8ae9115012b1aa155a0
SHA256e183cb1ab229c09d41969d905b41ef134c9d3ace3c973699dadf156bdc3456ba
SHA5129ebe1142c0eb9d9e4c92a6f37507bb77026914a6e752ef0789b077d194dbf7a8ee62ff333504bb8206461f984c4c2bb873365d8e08d3044bb43dd3af05fc4dfe
-
Filesize
199KB
MD546229bfe43f47b1485fe990271766bff
SHA1b68ed39a77bff6439296aa7dc372de60577130c0
SHA256afd7412bf3ea1e15d2236f775b12d2eec9d915abc8820b6a9d0e38a1591d4db9
SHA512fffb919ebb27a3c89fce8df629465526a3a3ee378f9a8f7e8333c1f9b8e3a61c7e60fcf8506fd1026e8cbdc527c1da103cae73bf472c7b0a81f0fabbf4be8b5c
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e