socelars | 0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Size

570KB
MD5

ba172fe67887f9e64b2a018e4b46ca76
SHA1

63190409cd88478191b0311c0d2482a41b7b81db
SHA256

0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9
SHA512

6942fce34f6410e436b8a789431a8d45d7e06b9ad41e9d3f9820cb1aba1c5bd7e7bf0d24f1957420f7682655c253ee1d7acc3b0a3b1a79a26999c268346487ff
SSDEEP

12288:SqgvflaO//G9Bq2Spgnu/X2CWJscuzwhdUvAROYyz8jm3hdzgyvkwhCZ7aXINMXy:yYOnGTq2SinsGCWJsjUhuvAR7yQQsiCE

Score

10^/10

socelars spyware stealer upx

Malware Config

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/dfgg320/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral2/memory/3028-31-0x0000000000400000-0x0000000000584000-memory.dmp	family_socelars

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3028-0-0x0000000000400000-0x0000000000584000-memory.dmp	upx
behavioral2/memory/3028-31-0x0000000000400000-0x0000000000584000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	iplogger.org
18	iplogger.org

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5060	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133529743984732763"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3748	chrome.exe
3748	chrome.exe
3304	chrome.exe
3304	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeAssignPrimaryTokenPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeLockMemoryPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeIncreaseQuotaPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeMachineAccountPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeTcbPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeSecurityPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeTakeOwnershipPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeLoadDriverPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeSystemProfilePrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeSystemtimePrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeProfSingleProcessPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeIncBasePriorityPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeCreatePagefilePrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeCreatePermanentPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeBackupPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeRestorePrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeShutdownPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeDebugPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeAuditPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeSystemEnvironmentPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeChangeNotifyPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeRemoteShutdownPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeUndockPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeSyncAgentPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeEnableDelegationPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeManageVolumePrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeImpersonatePrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeCreateGlobalPrivilege	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: 31	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: 32	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: 33	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: 34	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: 35	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
Token: SeDebugPrivilege	5060	taskkill.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe
Token: SeCreatePagefilePrivilege	3748	chrome.exe
Token: SeShutdownPrivilege	3748	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe
3748	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 4696	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe	84
PID 3028 wrote to memory of 4696	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe	84
PID 3028 wrote to memory of 4696	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe	84
PID 4696 wrote to memory of 5060	4696	cmd.exe	86
PID 4696 wrote to memory of 5060	4696	cmd.exe	86
PID 4696 wrote to memory of 5060	4696	cmd.exe	86
PID 3028 wrote to memory of 3748	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe	91
PID 3028 wrote to memory of 3748	3028	0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe	91
PID 3748 wrote to memory of 4180	3748	chrome.exe	92
PID 3748 wrote to memory of 4180	3748	chrome.exe	92
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 2604	3748	chrome.exe	94
PID 3748 wrote to memory of 3232	3748	chrome.exe	93
PID 3748 wrote to memory of 3232	3748	chrome.exe	93
PID 3748 wrote to memory of 3008	3748	chrome.exe	95
PID 3748 wrote to memory of 3008	3748	chrome.exe	95
PID 3748 wrote to memory of 3008	3748	chrome.exe	95
PID 3748 wrote to memory of 3008	3748	chrome.exe	95
PID 3748 wrote to memory of 3008	3748	chrome.exe	95
PID 3748 wrote to memory of 3008	3748	chrome.exe	95
PID 3748 wrote to memory of 3008	3748	chrome.exe	95
PID 3748 wrote to memory of 3008	3748	chrome.exe	95
PID 3748 wrote to memory of 3008	3748	chrome.exe	95
PID 3748 wrote to memory of 3008	3748	chrome.exe	95
PID 3748 wrote to memory of 3008	3748	chrome.exe	95
PID 3748 wrote to memory of 3008	3748	chrome.exe	95
PID 3748 wrote to memory of 3008	3748	chrome.exe	95
PID 3748 wrote to memory of 3008	3748	chrome.exe	95

C:\Users\Admin\AppData\Local\Temp\0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe
"C:\Users\Admin\AppData\Local\Temp\0abdfce62536624bbfc8b313265fcf067dde15c3ae820f70088eeebd932fbfa9.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffc826a9758,0x7ffc826a9768,0x7ffc826a9778
    3⤵
    PID:4180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1824,i,7659606688128051668,10610703475445930748,131072 /prefetch:8
    3⤵
    PID:3232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1824,i,7659606688128051668,10610703475445930748,131072 /prefetch:2
    3⤵
    PID:2604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1824,i,7659606688128051668,10610703475445930748,131072 /prefetch:8
    3⤵
    PID:3008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1824,i,7659606688128051668,10610703475445930748,131072 /prefetch:1
    3⤵
    PID:3168
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3164 --field-trial-handle=1824,i,7659606688128051668,10610703475445930748,131072 /prefetch:1
    3⤵
    PID:4952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3684 --field-trial-handle=1824,i,7659606688128051668,10610703475445930748,131072 /prefetch:1
    3⤵
    PID:4252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5080 --field-trial-handle=1824,i,7659606688128051668,10610703475445930748,131072 /prefetch:1
    3⤵
    PID:4844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 --field-trial-handle=1824,i,7659606688128051668,10610703475445930748,131072 /prefetch:8
    3⤵
    PID:2924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5632 --field-trial-handle=1824,i,7659606688128051668,10610703475445930748,131072 /prefetch:8
    3⤵
    PID:1864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=1824,i,7659606688128051668,10610703475445930748,131072 /prefetch:8
    3⤵
    PID:4700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2676 --field-trial-handle=1824,i,7659606688128051668,10610703475445930748,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3304

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
76c82334671acec56678f9b8f27dbdcc

SHA1
068d88680f74149dd08e1f9579cad37af9b4ff78

SHA256
9e022ab2aa269436b9904389ecc946652f6afe309fedebf482fd291609513db9

SHA512
8592b3395307fe0862fabf6fa92e7e1c8af0aaee7e25d95b328437324eba7ab1ff6d7e964a42f9dcd550738e44365532af795d1c4ac59d16310db1fedb6e5619

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
777fc458f2a6f98af787d1dc64ffb736

SHA1
d78df76d29c6f02cc0a49470b754977844395bd6

SHA256
190e93b598a3ad44054c2a9d668107fb54f7926c4b666487c4c6488e87006068

SHA512
71610964548f758cc6b8e1b452c63447e4f7ede1aa9e177e6c2166786b35445c5b93a62d9f80a7fc7a7d15649e3e4af5be2a95b06c9dd327186ae13ef873f50a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5082338320a42ff0510091b41945cc92

SHA1
e74683097bfa2f8b1b1c1a9fd29617865948ee34

SHA256
7af89599e1fa3203f33e7878f711a2ea48d59e562a92d0e6addea2490c43794b

SHA512
3be34cb05e7509de3c2bec85cb3a448717f0b16a88cb1da42c7b9d859d884cdffff0833bf42b51f94827b8eebc277232493f0254481ee0de5811cb9b5d288f53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
59f5b23b1faf169836b9de05d5a2187d

SHA1
0e33f1302812fe6222f7501c5d0186c12827ae04

SHA256
8baac3913eee000b8f264955ad6abd5657e43896b6d260e3c522d63e60c69e13

SHA512
fa65bb3e059ebb8efb1ec5342cb635a725b7f51a88d867cba75575591ae9fb83307634f45ca799070e4226194f949f709f8518121d0398d42a54874bea9de4af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ccb91df13e47342fb055718220865930

SHA1
15dfce9114b5cad168b2734948a5e4da0bc873d3

SHA256
671d3a4717b41e288617007b67abdaacc5e0354e6a2cdc061431f6cac639415e

SHA512
68179df082fbf33a409e2131543c0128d95411ebd16e852b1f4a1ca98f26d01e28a6fa927d121507fcd7ea915c3747cc3cafcc332c764cfe52bb5d13fe8a95ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\e7897840-31a9-475d-b943-64b67fab52e2.tmp

Filesize
1KB

MD5
1d75d64d805e8dc42886ec7f28d25790

SHA1
708257071298251fccb4b5f822b4df6bd9389777

SHA256
ac0bd619f787cfe3e41eef595b2454fa3b94e3d20842582c6753895968eee013

SHA512
2b713663844134efca33baf33407963552cb1488cb7a58e4616fbba963d84dc1da0687a817fac00869d603cdbd526d45a955efc5d9d57c94ba03d9b35141f653

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2b12a82ef6e7e3233aad604df01c4f76

SHA1
55d45eee6e7138012271d9c4584b8e439c7740fe

SHA256
6a6efee60c80127939e185272e7a8d4c4ac374c7a90edc44a1c6214c17323423

SHA512
ab29979f4972b273b8cca22139697b677a999aca70f7ebfd0c80288f5dc9cf31caf3ea14b996940cfcdaa735cc8bc308367706ff52f0190e74fbc4a801c6d6a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
34389dbe9997cecfeccdbf0e5e26f052

SHA1
c22c89f17223e06778ff66657569903b7dfa4c16

SHA256
1ecd7129b2adac283af2c07b9e7edac0f6b4068607be61ece14b8486991e215f

SHA512
1268dc84b7266ed830016e3f6c504eafb1ab4426b6085be0c069f9da354c793b417476526286d3fff05f493beea55b9e66c4acf8dde887532f24d212747bb518

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
6b169f9b1474c5039f385e0514380a73

SHA1
c67e74979e90452e50421e63c3822ed938e09a73

SHA256
1ce761bc2d157c3e494e2fd67dbd5a819a2bdafef1ef575b86df07bdec38b64c

SHA512
91fd2f5cfe210617ad5a8ef5921078665a0009be99a44c629596dd84324b018fcee55b1f57b83cb3d82a21ec8714574858bec5b8e5d05e9e0f088e09fdf74a9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
f5cef6b14b6268cb259b8fbc0c294fd6

SHA1
d2048b61411c07acf36df1cfe631286074ec686b

SHA256
b0551262757684ca71cdf7b445436b35daed85ef148a7cb5334a9a3446d72433

SHA512
4c96649b534afefbf9a515a4c71befc501f08f32b6a35b49ed053d58107c1d0231166e5b3f9cd6ef16c5d89ae4b411a925c968e7fe9f5dc0da37baec731bea68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
240KB

MD5
567f35e75b43072daf40608cad083fa9

SHA1
cc6a0f0400e6be88051127d6ae453323beaa4a9a

SHA256
64411c1d656a1e4295f985387d1161854afe3946d9a5cd5d014265856861955d

SHA512
bae4484589c9d269c75a8c3e2c3f1de034414a83bc428e8a4e17d0f6de7a19a9f46d7fdda526238737b2e7b1e5fa8462c3b19b8ed9dcf7747e662f5123da61d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/3028-31-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/3028-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download