socelars | ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240220-en
resource tags

arch:x64arch:x86image:win10v2004-20240220-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Size

570KB
MD5

07127266f2b20aa830a674f63da53976
SHA1

63b2eaa808be1440fa027da2f9fefb86575ca9cb
SHA256

ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded
SHA512

5f1314957c46cef6ac6b2dbc410f8114417184c3788ddd1d17340c9bc9982e6a16872794b5de3677ef509a550e6aef89097cbb31017884b15361cf0c3abfa8de
SSDEEP

12288:R7zerkKbDkVraNncPQFABDCc+LGZ2FzXJ0w7swXI/AMVVBW4oS:JerkJVraHFABDGCkFV4wog

Score

10^/10

socelars spyware stealer upx

Malware Config

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/dfgg320/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral2/memory/1168-32-0x0000000000400000-0x0000000000585000-memory.dmp	family_socelars

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1168-0-0x0000000000400000-0x0000000000585000-memory.dmp	upx
behavioral2/memory/1168-32-0x0000000000400000-0x0000000000585000-memory.dmp	upx

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4692	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133529815966378901"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3104	chrome.exe
3104	chrome.exe
4968	chrome.exe
4968	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeAssignPrimaryTokenPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeLockMemoryPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeIncreaseQuotaPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeMachineAccountPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeTcbPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeSecurityPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeTakeOwnershipPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeLoadDriverPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeSystemProfilePrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeSystemtimePrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeProfSingleProcessPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeIncBasePriorityPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeCreatePagefilePrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeCreatePermanentPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeBackupPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeRestorePrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeShutdownPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeDebugPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeAuditPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeSystemEnvironmentPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeChangeNotifyPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeRemoteShutdownPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeUndockPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeSyncAgentPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeEnableDelegationPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeManageVolumePrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeImpersonatePrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeCreateGlobalPrivilege	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: 31	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: 32	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: 33	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: 34	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: 35	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
Token: SeDebugPrivilege	4692	taskkill.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe
Token: SeCreatePagefilePrivilege	3104	chrome.exe
Token: SeShutdownPrivilege	3104	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe
3104	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 1544	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe	89
PID 1168 wrote to memory of 1544	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe	89
PID 1168 wrote to memory of 1544	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe	89
PID 1544 wrote to memory of 4692	1544	cmd.exe	91
PID 1544 wrote to memory of 4692	1544	cmd.exe	91
PID 1544 wrote to memory of 4692	1544	cmd.exe	91
PID 1168 wrote to memory of 3104	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe	95
PID 1168 wrote to memory of 3104	1168	ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe	95
PID 3104 wrote to memory of 2652	3104	chrome.exe	96
PID 3104 wrote to memory of 2652	3104	chrome.exe	96
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2760	3104	chrome.exe	97
PID 3104 wrote to memory of 2824	3104	chrome.exe	99
PID 3104 wrote to memory of 2824	3104	chrome.exe	99
PID 3104 wrote to memory of 2324	3104	chrome.exe	98
PID 3104 wrote to memory of 2324	3104	chrome.exe	98
PID 3104 wrote to memory of 2324	3104	chrome.exe	98
PID 3104 wrote to memory of 2324	3104	chrome.exe	98
PID 3104 wrote to memory of 2324	3104	chrome.exe	98
PID 3104 wrote to memory of 2324	3104	chrome.exe	98
PID 3104 wrote to memory of 2324	3104	chrome.exe	98
PID 3104 wrote to memory of 2324	3104	chrome.exe	98
PID 3104 wrote to memory of 2324	3104	chrome.exe	98
PID 3104 wrote to memory of 2324	3104	chrome.exe	98
PID 3104 wrote to memory of 2324	3104	chrome.exe	98
PID 3104 wrote to memory of 2324	3104	chrome.exe	98
PID 3104 wrote to memory of 2324	3104	chrome.exe	98
PID 3104 wrote to memory of 2324	3104	chrome.exe	98

C:\Users\Admin\AppData\Local\Temp\ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe
"C:\Users\Admin\AppData\Local\Temp\ad0626cdc01e7e2f25c886555a86ff0e7b66c21ae935a213d67c255e5d265ded.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc82eb9758,0x7ffc82eb9768,0x7ffc82eb9778
    3⤵
    PID:2652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1892,i,8286235677041862273,12671265624094577147,131072 /prefetch:2
    3⤵
    PID:2760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=1892,i,8286235677041862273,12671265624094577147,131072 /prefetch:8
    3⤵
    PID:2324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1892,i,8286235677041862273,12671265624094577147,131072 /prefetch:8
    3⤵
    PID:2824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=1892,i,8286235677041862273,12671265624094577147,131072 /prefetch:1
    3⤵
    PID:1632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2920 --field-trial-handle=1892,i,8286235677041862273,12671265624094577147,131072 /prefetch:1
    3⤵
    PID:4820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3760 --field-trial-handle=1892,i,8286235677041862273,12671265624094577147,131072 /prefetch:1
    3⤵
    PID:3516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5052 --field-trial-handle=1892,i,8286235677041862273,12671265624094577147,131072 /prefetch:1
    3⤵
    PID:4324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5508 --field-trial-handle=1892,i,8286235677041862273,12671265624094577147,131072 /prefetch:8
    3⤵
    PID:2688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 --field-trial-handle=1892,i,8286235677041862273,12671265624094577147,131072 /prefetch:8
    3⤵
    PID:5008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 --field-trial-handle=1892,i,8286235677041862273,12671265624094577147,131072 /prefetch:8
    3⤵
    PID:3576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3564 --field-trial-handle=1892,i,8286235677041862273,12671265624094577147,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4968

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
4d1fa363f31d0f4df3e5ad02d8316139

SHA1
b3e8e26d34b6e0ebbd9a9c8fd32a6e74056a1d2d

SHA256
de036e86740ce8f692b4bb0668c51e50b029e3d9d72d734bd8692124351689db

SHA512
b7c1db6191857142303321b5cb3a52f22d1e520aa12aa1875417429a0defd0f88738fa1ca2e9ecc95f549cc432ee62a1ad17f64ea5a23639f2f90f89bbb7ff63

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
94c463a8fea7794d08156327d71885f5

SHA1
1e605d8c13b06e2111e16d4214992e690def063b

SHA256
e23125721f09213b960ca25fed91292f858efdb480d74fa29654334ad3fef073

SHA512
c48d4cd538d61f53193d88a6fd4376080d08241be29e6fc995505da13759b9ea9cf8cd65e5b7e0f47b3f36b102f9dad7bff6c6d74187d4af2d0cc0ef454be0e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
3f938aec88f5819127982771de4544e8

SHA1
58248eaba59f05de146c861f285406ec514a31ad

SHA256
76af6a89c90531542579d61b2cadd33b67f4456a28083e22c2d1104cf268ce92

SHA512
4c66233d1e6e09bd22eead4b495e5245be4454d3d3e06e9de3f9b083c9d15998e5a8b1c01b485de1854343b289d8542ae935011900cdee96567709ee52667e84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
39acea5a40d7f418eb5db1cccc592640

SHA1
11cfe0f4ef220c75166fc37b7f1c51d7f1a29c71

SHA256
c799cab925f99227a75d45cea4dcc9d9f9bf753b7a534dfe93bbc2576416e800

SHA512
8ccd36600df3916c6504875823533b43a447b7ce62e263e07ba1f1c2b973944e09a2fb5ff9d1e9a83e8623fb7eddf83447da06179f589adc8c2d5d1cdd6ab215

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c9b5da6c02f67cf7726b474ac6aa106a

SHA1
cdf5e80b49cc8953c800584a96a4fee21116121c

SHA256
5e86b7dd5317ad1bd7aaefe2fc4587f2a7e8a382e72c0981d833b9eb88355a54

SHA512
efcf2d0f67e05d784d3bed643b430ec20e84056085da4f91ec5b0aa6c99ef8b7db76a0dfd846708981562608eae3d71988df838d0df7eb969e47b19629fcd124

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
156032d23654f483c53c710323a418ff

SHA1
d06385f7f2d566d46799eefc890ca220b35b97a6

SHA256
a85a6d8698372df17b0ce5bc1ee3ed9dd9dfd91481997dde895fd7e58c07cfc1

SHA512
6213c20e360276964f74f73c39f9f62fd9a3274f616b370734b013dbbc50a5b518240176179139618a864e3086c72940b07747d98a89990a8ba07e7d4281a741

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8d66982e2c3f8a5ff6cb20626d6ba519

SHA1
cc9e9754b00ce5f5bbd277437ca23a848f336cab

SHA256
8e418d81313cd4b32d95e15209fa6bfbd3a399524122b2f24f28794a2f1bdfb0

SHA512
06574b2307b7155222a25a418bec1f138f6b2465ba411213ba4f5c491ef470a7ea4a523d01a086cde5261eab740c4e434502261444b47ab7bc79278143b58718

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
09092b589791fc67c2052b12057bb6fc

SHA1
a931c8e829e74ea9643d568dd5b0546631af808b

SHA256
65ca2bfe306a832f3c5316c48a8786df631010a59a354c863baeda47881affdc

SHA512
351d194945017178e9df9c1b1e5a296d0f23abe30cd0ab16de178ac20ca5f394834a5d7dbd21d076120d0141095cb820c8c2a4b6113be2423a80d5c3253b14f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7c2ba89e8524d951544fbd6045a01e27

SHA1
acada4d2f797da78de08e866da7df2527e9bc727

SHA256
698f2d5b1f98d299538bc1c5ef98d3e39f5520435687bcb07e4273859398187b

SHA512
c3d66510e8f8b56dc2dad6326f636c6a828faa50980fe933890d3b2f88c4ad9f4ceffd2ba3bdf7777eb036ba1a241307f42eea2ff8657e906aa575b04a7b1047

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
af344477346f42f29412102c8035c553

SHA1
ee15bab3e0843c7ac1fe1210829bad366db48159

SHA256
290e4435b7185b884c1bc9111a3b113c03a8bd52a418624d6d60a03234f75967

SHA512
c6862636cf54a99084a1c40c4c91a2ff5cc9e39294266d682f268768af7d2a0c49afe27e2d5ba8b63cff6f7faddbcb6304bca6906988ccaf0d432760ca82e3d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
05579cba0bd8fe25e8a9ddf002c5be5b

SHA1
33628c27438ee390c37b18fecdf5ebd1e6089ca4

SHA256
1e7740ed7d821f6cb64d6733dcc4b37d4a612f24710a5044f1686ab7cc7a4556

SHA512
6b9c92072144a9506ebadd775b41eff39e672b14b4dadd4f83ea3d426d01cedd6d49ba564b1b8137c745fb8682c10c3945c081685f70c596970170b7118b3f4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
2f75f9449e5983d392d8ed9535f8591c

SHA1
243d310542a186221b370ed097eadb8aaeaadfc6

SHA256
02640b2b4cef9a30d15ef370cc6aad48b70f48ed1ecd38baff6beb9df5bb088d

SHA512
0838f27cfec4a57829a7469d8577b3268183e78385f3dcf0bf51d1104d494bdb0549250e16aa06dcf476b74cb6d57e4f32701bab9bfcb0b722c62febdb5000d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ed412d15-4c5f-44cf-84f5-159ea0fcfbad.tmp

Filesize
16KB

MD5
9d4dd5dcc3a70611300ea092360268b2

SHA1
c257fa93f72ae6af5cf8ab0098483b7ea356f9de

SHA256
1e5a0a71eaad723ac9ef6d1713f09aed5cb16d51e649b6782da7d7610751d12b

SHA512
ee7575193d07272983ae1c8158d853ede3e5fb14212d7839f159844bde8ecf6abbff1bfee4e902b4326cc48a5275fc46bf9d3df615b2e0489ca5269516100762

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
f110e0a0f8afd61d09cdc594058a50fc

SHA1
c02778920b59013b1e1e7c1afffff944c70f2f69

SHA256
b5d2abc8ee16a495db52777680e1302b156b5456bed375b31c040f504def9170

SHA512
4df0357b662a8a0d7d3b9398b7599580fd185fc47fa9e13b6ad38360c233af0cfe971bf392796d3ef33076023c6a90fb38dc2da3b48472e2205b52a834381556

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/1168-32-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/1168-0-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download