socelars | 7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b

Analysis

max time kernel
27s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-02-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Size

570KB
MD5

18de29749083d2162b5c4eeb8ce2cc34
SHA1

cd7d13580681f36799b8fb5a72926a5b64daec31
SHA256

7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b
SHA512

aa30b0482c7f0feba1bd63e2cc198438bedb5c1d3a33c47e2930d9ed6192587eaf3580aa071d67af82b860d6baa52e2f283664cd790efc45375d170649c5f3ad
SSDEEP

12288:K7zerkKbDkVraNncPQFABDCc+LGZ2FzXJ0w7swXIj4piDJl4BTSpRYKoS:4erkJVraHFABDGCkFV4w9piz4FS7

Score

10^/10

socelars spyware stealer upx

Malware Config

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/sadfe410/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1704-69-0x0000000000400000-0x0000000000585000-memory.dmp	family_socelars

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1704-0-0x0000000000400000-0x0000000000585000-memory.dmp	upx
behavioral1/memory/1704-69-0x0000000000400000-0x0000000000585000-memory.dmp	upx

Drops file in Program Files directory 10 IoCs

Processes:

7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe

description	ioc	Process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
2732	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid	Process
1016	chrome.exe
1016	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeAssignPrimaryTokenPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeLockMemoryPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeIncreaseQuotaPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeMachineAccountPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeTcbPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeSecurityPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeTakeOwnershipPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeLoadDriverPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeSystemProfilePrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeSystemtimePrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeProfSingleProcessPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeIncBasePriorityPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeCreatePagefilePrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeCreatePermanentPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeBackupPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeRestorePrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeShutdownPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeDebugPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeAuditPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeSystemEnvironmentPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeChangeNotifyPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeRemoteShutdownPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeUndockPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeSyncAgentPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeEnableDelegationPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeManageVolumePrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeImpersonatePrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeCreateGlobalPrivilege	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: 31	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: 32	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: 33	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: 34	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: 35	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe
Token: SeShutdownPrivilege	1016	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	Process
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	Process
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.execmd.exechrome.exe

description	pid	Process	procid_target
PID 1704 wrote to memory of 2972	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe	28
PID 1704 wrote to memory of 2972	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe	28
PID 1704 wrote to memory of 2972	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe	28
PID 1704 wrote to memory of 2972	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe	28
PID 2972 wrote to memory of 2732	2972	cmd.exe	30
PID 2972 wrote to memory of 2732	2972	cmd.exe	30
PID 2972 wrote to memory of 2732	2972	cmd.exe	30
PID 2972 wrote to memory of 2732	2972	cmd.exe	30
PID 1704 wrote to memory of 1016	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe	33
PID 1704 wrote to memory of 1016	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe	33
PID 1704 wrote to memory of 1016	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe	33
PID 1704 wrote to memory of 1016	1704	7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe	33
PID 1016 wrote to memory of 1524	1016	chrome.exe	34
PID 1016 wrote to memory of 1524	1016	chrome.exe	34
PID 1016 wrote to memory of 1524	1016	chrome.exe	34
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 464	1016	chrome.exe	35
PID 1016 wrote to memory of 2900	1016	chrome.exe	36
PID 1016 wrote to memory of 2900	1016	chrome.exe	36
PID 1016 wrote to memory of 2900	1016	chrome.exe	36
PID 1016 wrote to memory of 2892	1016	chrome.exe	37
PID 1016 wrote to memory of 2892	1016	chrome.exe	37
PID 1016 wrote to memory of 2892	1016	chrome.exe	37
PID 1016 wrote to memory of 2892	1016	chrome.exe	37
PID 1016 wrote to memory of 2892	1016	chrome.exe	37
PID 1016 wrote to memory of 2892	1016	chrome.exe	37
PID 1016 wrote to memory of 2892	1016	chrome.exe	37

C:\Users\Admin\AppData\Local\Temp\7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe
"C:\Users\Admin\AppData\Local\Temp\7a4d9538b91ad5326fe54fddf1fdb3775f8d4f662ee96174346ec80e992e2d4b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7169758,0x7fef7169768,0x7fef7169778
    3⤵
    PID:1524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1368,i,5971759617427606818,3862689176504119188,131072 /prefetch:2
    3⤵
    PID:464
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1368,i,5971759617427606818,3862689176504119188,131072 /prefetch:8
    3⤵
    PID:2900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1368,i,5971759617427606818,3862689176504119188,131072 /prefetch:8
    3⤵
    PID:2892
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2240 --field-trial-handle=1368,i,5971759617427606818,3862689176504119188,131072 /prefetch:1
    3⤵
    PID:2948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2248 --field-trial-handle=1368,i,5971759617427606818,3862689176504119188,131072 /prefetch:1
    3⤵
    PID:1516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2596 --field-trial-handle=1368,i,5971759617427606818,3862689176504119188,131072 /prefetch:1
    3⤵
    PID:3024
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1384 --field-trial-handle=1368,i,5971759617427606818,3862689176504119188,131072 /prefetch:2
    3⤵
    PID:3000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1424 --field-trial-handle=1368,i,5971759617427606818,3862689176504119188,131072 /prefetch:1
    3⤵
    PID:780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 --field-trial-handle=1368,i,5971759617427606818,3862689176504119188,131072 /prefetch:8
    3⤵
    PID:2184

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
ffaddd444479445041f34f086621377f

SHA1
8be87ab54e6a3440250315dc78353428f7aea5c3

SHA256
59717b701d07bb5a76075ab9d12a46be9b29c1386e601100c5e11a8ca7712bd3

SHA512
c8d0b9a9470899479ce981d807c7794a849e0fbff4c2ae6ed769c040412c0b679fdffe906a38959298cef075a7004ea46f232aa1b3f57183931ed8a5d2d3b2e9

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
64KB

MD5
30283f279ddf1ec626f7caaad8353454

SHA1
ec86dedd8b2ca69395e081daaaa7be45bfe1b524

SHA256
b127cb2213fc973cd50bf63115b74842584a05e27ccf858ae773b72bdba57021

SHA512
301517687e8dee59cf2b70866a79a95404f75adb4554d960a4e5e0d0b387917016763ad02bb22110dc3b56e1b30e4a9e0b545a6e5e848e78a0b0cd5a80e972b5

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
94c463a8fea7794d08156327d71885f5

SHA1
1e605d8c13b06e2111e16d4214992e690def063b

SHA256
e23125721f09213b960ca25fed91292f858efdb480d74fa29654334ad3fef073

SHA512
c48d4cd538d61f53193d88a6fd4376080d08241be29e6fc995505da13759b9ea9cf8cd65e5b7e0f47b3f36b102f9dad7bff6c6d74187d4af2d0cc0ef454be0e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
a8426afccd3def094fbe3a58bcaa7941

SHA1
31eb819756f2ee7f1932ec6b9dc29036107873ea

SHA256
12a27cde7186deed3be6f941e780e5d48e75b7b7a8234ee68f8df89d624dbed2

SHA512
70d59c9dad40af5d6d24d042c7dedda5c5482e61f17977dbd9c2cd9ec51914139c0312165b19a408b016690a56181e7b07f8ffce2a1ebb0012ee3089a5564ed8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
25892f20f624dcfbe4463f8be951fe1a

SHA1
c1285bfa6059ad515bc9bc6c82f80d232fdd28ba

SHA256
002c5113cbc10809693d20d9a92b2c54b9b95067d5fee4e71d5530a1e0a2c558

SHA512
30b3d0c52ae3932cc602a8b1f51a227e6788e9da18bb27e63b723fa19af03a70bd56fa25c529d3c9045e8c9a24e80f1c1646a64850f2bf22781b5cd220c419c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b59ac6b80ee00a502fff8b3dbaef2a09

SHA1
772302184ce9298d2e359c4e1981b4a5deefd7a1

SHA256
aeb83bdd6f573cdbbf0cfcd6285c73fed9a9696156341a83efbd5e0a9b2491c5

SHA512
3c4390b8eaec4a41a5651df1af2feb2a73cff78ee48ebb64f9b2713ba2080b70a63dad74bf5d00434f064fed5fbb3cf0d8f7f6797ea78ae64912314872ed88e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55f7079c640291968a9dd42addb6b106

SHA1
205ad8da0a456e96e65ea784be97a8692c06876e

SHA256
45a28fe850f5dc0a1b1ea8b0186527b19fd94082078a96d0ad642b5c1d3a69ff

SHA512
dbf60f9de4c7616e2602d80df500151e0ebb1fe4755c53a6e6ad077af3d5a12b0902ab0d8e5c5d366bd86e304d5e352b5b8d8ccc4640fc2a82fdde1d69963967

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e355ab76345c772e0047a26856ae4f8a

SHA1
df10e939a0ff6d25e67d66c7af1078c6f61e1d73

SHA256
e46464f42b87b100d440471c0158c0e33130360b6afbdd937637755f9a776fd0

SHA512
c9430d489eb69ab7c5b79c52459c282b458cda049d780cb9671e85458d0c8e8313b8f4982c9131b0d54242bf5ae35ab6fe37016eade36cc11b3d07803fef9d94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a3e5ab7f41592fc9997b5073ed8fbc49

SHA1
8973012e080b52cc7cba271a5bc9415c68e432ae

SHA256
9598d382c616a74ddce87a4432483f691c656cc20cf681121e7fdefc6cff6ede

SHA512
7d2797e0bf1a17e191b618053695276141f275756738345dc9e1e966872d93e10e182fc22616a07db90d2180859a500403d3f049f29dfb93f9789825a3509254

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
854B

MD5
9cdc7c7b65feb5952c2804cca826eb73

SHA1
a690bb2c13cb894c2c21335b861b7eae5ae3df4a

SHA256
22cf928448e116ea8b9b6d396a3b69d17281459dd716232d2b5034ea32fc5410

SHA512
f104a907cd739d82d5f5d06d7a10f9c16e2dd593acbc2b0a45b789332ba28397baba711b2b9a355b4c2504d58c22a906311177b34996e9378bfa9c397c449703

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
854B

MD5
f62e9e163afb2d62f693f90c6cb0b614

SHA1
10ae0b29fd429802cceab39d9af8446637401cb8

SHA256
0e09e00ea3591bbc3c2f9adb00a36da2c903855ac79ca55931f23fdbc61047a6

SHA512
84de3e3e79aadb6a9fb1c673e4223318acd669c2255c85295fef1c7fc8973f76158ccc86bd990ee99eb4581e3e8846a0b9d09d6874fddbae5eaadde83aafb4f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
854B

MD5
be4a446362c50ea94a07651cb907d037

SHA1
3e67b3ca29e3bbb5c49720f6810ac317bc7c3cbd

SHA256
3b65362c8ba498a5f7ec986f798b7f63e072baf4f7fd0582cebb01ca818ee18c

SHA512
d76479f1da424e7e09cd193cd83faddd545aae1b7509db04879d96a476e9e254199527ce2b66856a2e142f2700926404af6e6ce7f1de37d1bf4c6cd603717bcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ca4c2f0611945354631f66fa5c3b3380

SHA1
0076b4e30b0bf27141520ef97c5573b29c972522

SHA256
9d87a918fee4cdc8e35fa4c57df0ba1a6cc733818bbbd6c915ba1d59441e70df

SHA512
4672b9b868404664887683027b318ac8abf9d9a9ee2bd10161cb873a4c55844b2f9fa2fd933872a4a19f4fee7052d649bccf9a3ae67c7828b3ffec85972f4140

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
5dfc733c576beafefb3b2fd94cfb8dec

SHA1
d8c17a0ec561d8e5a61a6bc371a16cce700d8562

SHA256
1d20c77ef54ba9ceb720d4f2f4f2bca9640d3a9f8fa6d45874e1577fbcc811c9

SHA512
f1086939892ac78cdac43ddc4056f2ed19be7f71fbd7244f9f66c546eaa76001ec9ba79765e41acc344889bd59ec2dba1e1ab27f60731f53e02170ca03b5447e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
11KB

MD5
735ff254f4693010582dc94d8ecede1f

SHA1
8d3a45ea58c52dd32ebdc4b65120b5fa70cc94fb

SHA256
b3200e8044088f9497818eea1488a214b161a1265788a56347cc1926f7044250

SHA512
0411dedd5fbd2bdfb895cb6f617c1967383aeccd780d6dd211e1c747fc093395565fb013a3236e27d4fdae85299d699d12ef3416a2ca01b814b2219752a6f506

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
11KB

MD5
787d57c2f124aa01ace9b885e2f3ba21

SHA1
7ad0c6eb9c788f3fd37877c552dd9385017765b0

SHA256
3f99b16a673c43bfb61d92c0093887a9b15a5c05281a8aa674641b89b6856ce4

SHA512
43b21d22be8a7159c7fe64c98a539ec2b50e86aa554197d262a67cd69f33b7ca98c9fd55247bcd461fa3793b83dbc6e9f7cfb98ff1bdfd09605a93e331e77b82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nndannfdnoaiphfcbbpgkhodebpoiocf\CURRENT~RFf766162.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab40E9.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar410B.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\??\pipe\crashpad_1016_WEXCNJTMYVHWUKYS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1704-0-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/1704-69-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download