52cb8761856ce29433d6e455ef29da70d3d7a51ff4b28f5a0a1c332655891f0f

Resubmissions

03/11/2023, 19:16

231103-xy78jsha4w 4

03/11/2023, 19:10

03/11/2023, 08:07

03/11/2023, 08:02

03/11/2023, 07:59

Analysis

max time kernel
44s
max time network
75s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sidekick-win-installer-34426.exe
Size

328KB
MD5

ece86b7cc20233c01d38df7a1a93daff
SHA1

de93f7d742c6c94da8ce8e700d2ee25520c6ee9f
SHA256

52cb8761856ce29433d6e455ef29da70d3d7a51ff4b28f5a0a1c332655891f0f
SHA512

7df133a06ad197ccc6edc3fde36de00421277c7920c8d436ca5d01680aa14dbdb1c48eedf3751268574b5093efef887f3ae618f94352dda09ca0f1d7f763390d
SSDEEP

6144:0Ya6XC5Wp3+7W98/MavNNM6RYRN3BXFULW+CgD0tNYF6m0qC:0Y/p3+7W8/HNNZi7l+kDYF6mM

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\nsj8EFA.tmp\nsj8EFB.tmp	sidekick-win-installer-34426.exe
File opened for modification	C:\Program Files (x86)\nsj8EFA.tmp\	sidekick-win-installer-34426.exe
File opened for modification	C:\Program Files (x86)\nsj8EFC.tmp	sidekick-win-installer-34426.exe
File opened for modification	C:\Program Files (x86)\nsj8EFC.tmp\nsj8EFD.tmp	sidekick-win-installer-34426.exe
File opened for modification	C:\Program Files (x86)\nsj8EFC.tmp\	sidekick-win-installer-34426.exe
File opened for modification	C:\Program Files (x86)\nsj8EFA.tmp	sidekick-win-installer-34426.exe

Loads dropped DLL 9 IoCs

pid	Process
3004	sidekick-win-installer-34426.exe
3004	sidekick-win-installer-34426.exe
3004	sidekick-win-installer-34426.exe
3004	sidekick-win-installer-34426.exe
3004	sidekick-win-installer-34426.exe
3004	sidekick-win-installer-34426.exe
3004	sidekick-win-installer-34426.exe
3004	sidekick-win-installer-34426.exe
3004	sidekick-win-installer-34426.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	sidekick-win-installer-34426.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	sidekick-win-installer-34426.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sidekick-win-installer-34426.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sidekick-win-installer-34426.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	sidekick-win-installer-34426.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe
Token: SeShutdownPrivilege	2008	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3004	sidekick-win-installer-34426.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe
2008	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3004	sidekick-win-installer-34426.exe
3004	sidekick-win-installer-34426.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2456	2008	chrome.exe	34
PID 2008 wrote to memory of 2456	2008	chrome.exe	34
PID 2008 wrote to memory of 2456	2008	chrome.exe	34
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2880	2008	chrome.exe	36
PID 2008 wrote to memory of 2772	2008	chrome.exe	37
PID 2008 wrote to memory of 2772	2008	chrome.exe	37
PID 2008 wrote to memory of 2772	2008	chrome.exe	37
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38
PID 2008 wrote to memory of 2660	2008	chrome.exe	38

C:\Users\Admin\AppData\Local\Temp\sidekick-win-installer-34426.exe
"C:\Users\Admin\AppData\Local\Temp\sidekick-win-installer-34426.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3004

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6869758,0x7fef6869768,0x7fef6869778
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1364,i,13914561237779364141,10259617934826728055,131072 /prefetch:2
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1364,i,13914561237779364141,10259617934826728055,131072 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1336 --field-trial-handle=1364,i,13914561237779364141,10259617934826728055,131072 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2288 --field-trial-handle=1364,i,13914561237779364141,10259617934826728055,131072 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1364,i,13914561237779364141,10259617934826728055,131072 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3176 --field-trial-handle=1364,i,13914561237779364141,10259617934826728055,131072 /prefetch:2
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3156 --field-trial-handle=1364,i,13914561237779364141,10259617934826728055,131072 /prefetch:2
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1264 --field-trial-handle=1364,i,13914561237779364141,10259617934826728055,131072 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1440 --field-trial-handle=1364,i,13914561237779364141,10259617934826728055,131072 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3512 --field-trial-handle=1364,i,13914561237779364141,10259617934826728055,131072 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3516 --field-trial-handle=1364,i,13914561237779364141,10259617934826728055,131072 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3676 --field-trial-handle=1364,i,13914561237779364141,10259617934826728055,131072 /prefetch:8
  2⤵
  PID:660

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d295ec1e29a5aec792d7e848462c2e3d

SHA1
c96888bf480995df10e2ebcf27ad201636f2d5fc

SHA256
a9205eefbc6730de8b010250b1f0fa8c220b312432e0b795fd70fc15392d8ee6

SHA512
efa2e5049a1889ea83e791f72e021423d8b39bfd1d62153448d0639c349996e86e758f28edd5f40c7329dde39a39a7078f8919ffa3817d404a42cbfd23942505

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\6ccbc1b3-a92a-460f-b3ba-aa12e2f82f67.tmp

Filesize
219KB

MD5
9300b5c208e14240ef4ae8ebb0ddd5a1

SHA1
bca7cb39ad7d63cd923c3661e55cd2295c86528d

SHA256
dc5c5aa0ca86991b2283bd657166ab47e345c6d682dfd975108b976ad563c04e

SHA512
212c28e4ea781b8ab77492080ce245a936f57451ba993629bb6626c120a6cee2fa6c66473d7dcd4f4856aab83b13847c02b324f019c5a86eb3aec0f707143d9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab91EC.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar922E.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\CertCheck.dll

Filesize
5KB

MD5
2979f933cbbac19cfe35b1fa02cc95a4

SHA1
4f208c9c12199491d7ba3c1ee640fca615e11e92

SHA256
bcb6572fcb846d5b4459459a2ef9bde97628782b983eb23fadacbaec76528e6f

SHA512
61f07c54e0aaa59e23e244f3a7fd5e6a6c6a00730d55add8af338e33431ed166d156a66455a4f9321cafbce297e770abc1cb65f7410923cb2b5e5067d1768096

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\HttpPostFile.dll

Filesize
4KB

MD5
14f58535542482e59e1fbacafb563737

SHA1
9332101d425d90eafbde3ccb27487940080a9472

SHA256
deb32afa701ba2790a4044d6144c063cbfc26bdbb191b536e229c9e6bdacbe82

SHA512
3175b4f0861e2b13309012419cdbd10a09ed54e9b26f8ad362973ae3b9d88521b9c72a6b03b11e02b0eb6ccb4421417944d8277e7b5d4d6182243b9d46b91fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\InetBgDL.dll

Filesize
7KB

MD5
d4f7b4f9c296308e03a55cb0896a92fc

SHA1
63065bed300926a5b39eabf6efdf9296ed46e0cc

SHA256
6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83

SHA512
d4acc719ae29c53845ccf4778e1d7ed67f30358af30545fc744facdb9f4e3b05d8cb7dc5e72c93895259e9882471c056395ab2e6f238310841b767d6acbcd6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\WebBrowser.dll

Filesize
93KB

MD5
dfe24aa39f009e9d98b20b7c9cc070b1

SHA1
f48e4923c95466f689e8c5408265b52437ed2701

SHA256
8ec65a3d8ae8a290a6066773e49387fd368f5697392dfb58eac1b63640e30444

SHA512
665ce32d3776b1b41f95ed685054a796d0c1938dbc237619fa6309d1b52ae3bd44e3cf0a1f53ebf88556f7603111cca6dff1bfc917a911e0a9ce04affd0d5261

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\download.exe

Filesize
101.5MB

MD5
ad57c6b3c0b7d9eff237a400dd9804f2

SHA1
3b20c98077700b3f2bb9b08c79add98408b5703c

SHA256
c4800f9d98dac5efce4b9f5de6fafddec525e1071a7304672f77fae926246bb3

SHA512
714c777c3733e42365186b90b638332144459e1f948408a76458e64ba91023ce3bc1d852801d9909439681230ad54574e0128a8358644614703a6d6433012562

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\installing.html

Filesize
1KB

MD5
fae3b355070331b9c8c1f66e95c22d9f

SHA1
5cb394ab05d6d2ce4c9ceec66d0eff466b7f3ee2

SHA256
dd5d18427c52c220a8a29b25e21ce7c35669a9446978296c2e0837f5a6f08bdf

SHA512
32605b1b4be47aceeee193c046493041b51d9993cf29f73e4595fe10d60dc6a997a0fa3eeda74fb48a5156f971b28b715bf725bc67d44d87b5052ebf6556f6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\installing.js

Filesize
2KB

MD5
dfa7861bca754036ab853b3bb02b194d

SHA1
46d7c5ba614b39caa4857fcba4bdedbabb2c67c0

SHA256
2c286b6eefd38f032a385f3ac6a1f794deab3bac0fbff71bd0ba21453f477878

SHA512
c58d96fb2496a84261a5e4b18cf4156a30f9ad161bbabc3652b6b5c24976f1ac432dced31927a9443260cdca0292524d1f691766b7c0731f926d37be11fe0c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\installing_page.css

Filesize
1KB

MD5
8d809f324dcb3b7c458fc2fad781f0c1

SHA1
e9b38fd62b0e3061a164db4ee79545cfb775755c

SHA256
90d1fccf57930fae2b128c405b911c8300fc4697ae97e1a5e54e661f89f7ce8a

SHA512
bc4366503e7e1c033f2b01ad76361e6b3caa0a0cc751b9beafbd0d47930a3f53536e1025dd7c22007dcf113bb72db3dc4b5ddde1f694757cd33da33c91e6e250

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\nsJSON.dll

Filesize
23KB

MD5
f4d89d9a2a3e2f164aea3e93864905c9

SHA1
4d4e05ee5e4e77a0631a3dd064c171ba2e227d4a

SHA256
64b3efdf3de54e338d4db96b549a7bdb7237bb88a82a0a63aef570327a78a6fb

SHA512
dbda3fe7ca22c23d2d0f2a5d9d415a96112e2965081582c7a42c139a55c5d861a27f0bd919504de4f82c59cf7d1b97f95ed5a55e87d574635afdb7eb2d8cadf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\stub_common.css

Filesize
684B

MD5
544b51f11ad19df720669478d28f129d

SHA1
d238b604fd3fa37dfd552eacdc6aacc474fcddad

SHA256
4d9495b6f0e18331659993b79440e414a6e607fcdaeacbc7477e0683cc0fa98b

SHA512
bbbb0f31839316c51464cfd225166145f968ce38995dc2748df5402b7e109ff6119d65b6774fc4738638ad4c9d89776516b00ab5a700097d9d74e1824a11dc5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\stub_common.js

Filesize
817B

MD5
58b8ac894c64370cfa137f5848aeb88d

SHA1
6a1ac1f88a918a232b79fe798b2de69cf433945f

SHA256
0e28aa770b0afade30be85c6dc1e50344db8f8cdd3fa01989d81a9e20a4990bd

SHA512
ae309518e0f926021e4d9378950c1a375263247d4f79d8a8cc09464cd01653ae5e707d52a4b0c36d532e649c246f4be6b5ba8648f58fb0e3e40c495ae63180ab

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\CertCheck.dll

Filesize
5KB

MD5
2979f933cbbac19cfe35b1fa02cc95a4

SHA1
4f208c9c12199491d7ba3c1ee640fca615e11e92

SHA256
bcb6572fcb846d5b4459459a2ef9bde97628782b983eb23fadacbaec76528e6f

SHA512
61f07c54e0aaa59e23e244f3a7fd5e6a6c6a00730d55add8af338e33431ed166d156a66455a4f9321cafbce297e770abc1cb65f7410923cb2b5e5067d1768096

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\HttpPostFile.dll

Filesize
4KB

MD5
14f58535542482e59e1fbacafb563737

SHA1
9332101d425d90eafbde3ccb27487940080a9472

SHA256
deb32afa701ba2790a4044d6144c063cbfc26bdbb191b536e229c9e6bdacbe82

SHA512
3175b4f0861e2b13309012419cdbd10a09ed54e9b26f8ad362973ae3b9d88521b9c72a6b03b11e02b0eb6ccb4421417944d8277e7b5d4d6182243b9d46b91fe5

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\HttpPostFile.dll

Filesize
4KB

MD5
14f58535542482e59e1fbacafb563737

SHA1
9332101d425d90eafbde3ccb27487940080a9472

SHA256
deb32afa701ba2790a4044d6144c063cbfc26bdbb191b536e229c9e6bdacbe82

SHA512
3175b4f0861e2b13309012419cdbd10a09ed54e9b26f8ad362973ae3b9d88521b9c72a6b03b11e02b0eb6ccb4421417944d8277e7b5d4d6182243b9d46b91fe5

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\HttpPostFile.dll

Filesize
4KB

MD5
14f58535542482e59e1fbacafb563737

SHA1
9332101d425d90eafbde3ccb27487940080a9472

SHA256
deb32afa701ba2790a4044d6144c063cbfc26bdbb191b536e229c9e6bdacbe82

SHA512
3175b4f0861e2b13309012419cdbd10a09ed54e9b26f8ad362973ae3b9d88521b9c72a6b03b11e02b0eb6ccb4421417944d8277e7b5d4d6182243b9d46b91fe5

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\HttpPostFile.dll

Filesize
4KB

MD5
14f58535542482e59e1fbacafb563737

SHA1
9332101d425d90eafbde3ccb27487940080a9472

SHA256
deb32afa701ba2790a4044d6144c063cbfc26bdbb191b536e229c9e6bdacbe82

SHA512
3175b4f0861e2b13309012419cdbd10a09ed54e9b26f8ad362973ae3b9d88521b9c72a6b03b11e02b0eb6ccb4421417944d8277e7b5d4d6182243b9d46b91fe5

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\InetBgDL.dll

Filesize
7KB

MD5
d4f7b4f9c296308e03a55cb0896a92fc

SHA1
63065bed300926a5b39eabf6efdf9296ed46e0cc

SHA256
6b553f94ac133d8e70fac0fcaa01217fae24f85d134d3964c1beea278191cf83

SHA512
d4acc719ae29c53845ccf4778e1d7ed67f30358af30545fc744facdb9f4e3b05d8cb7dc5e72c93895259e9882471c056395ab2e6f238310841b767d6acbcd6c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\WebBrowser.dll

Filesize
93KB

MD5
dfe24aa39f009e9d98b20b7c9cc070b1

SHA1
f48e4923c95466f689e8c5408265b52437ed2701

SHA256
8ec65a3d8ae8a290a6066773e49387fd368f5697392dfb58eac1b63640e30444

SHA512
665ce32d3776b1b41f95ed685054a796d0c1938dbc237619fa6309d1b52ae3bd44e3cf0a1f53ebf88556f7603111cca6dff1bfc917a911e0a9ce04affd0d5261

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8EBA.tmp\nsJSON.dll

Filesize
23KB

MD5
f4d89d9a2a3e2f164aea3e93864905c9

SHA1
4d4e05ee5e4e77a0631a3dd064c171ba2e227d4a

SHA256
64b3efdf3de54e338d4db96b549a7bdb7237bb88a82a0a63aef570327a78a6fb

SHA512
dbda3fe7ca22c23d2d0f2a5d9d415a96112e2965081582c7a42c139a55c5d861a27f0bd919504de4f82c59cf7d1b97f95ed5a55e87d574635afdb7eb2d8cadf2

Download Submit