socelars | ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Size

570KB
MD5

c08aa458038e4d9a46af3573265d03c6
SHA1

fae30ccd9f1a2b230e26cdc5ee75656db3ecf069
SHA256

ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab
SHA512

266176c22beae3c874bcf1bc93a1538ee7f34781869dbbf4845e43759d720b218a6fceb32f292edade227da9438d674ef360807beed5e108f34c1147211de8ad
SSDEEP

12288:G7zerkKbDkVraNncPQFABDCc+LGZ2FzXJ0w7swXI1zjjgPUYSGoS:serkJVraHFABDGCkFV4w+UUYS

Score

10^/10

socelars spyware stealer upx

Malware Config

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/sadfe410/

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 1 IoCs

resource	yara_rule
behavioral2/memory/4636-32-0x0000000000400000-0x0000000000585000-memory.dmp	family_socelars

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4636-0-0x0000000000400000-0x0000000000585000-memory.dmp	upx
behavioral2/memory/4636-32-0x0000000000400000-0x0000000000585000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	iplogger.org
14	iplogger.org

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4936	taskkill.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3284	chrome.exe
3284	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeAssignPrimaryTokenPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeLockMemoryPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeIncreaseQuotaPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeMachineAccountPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeTcbPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeSecurityPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeTakeOwnershipPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeLoadDriverPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeSystemProfilePrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeSystemtimePrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeProfSingleProcessPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeIncBasePriorityPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeCreatePagefilePrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeCreatePermanentPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeBackupPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeRestorePrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeShutdownPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeDebugPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeAuditPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeSystemEnvironmentPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeChangeNotifyPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeRemoteShutdownPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeUndockPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeSyncAgentPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeEnableDelegationPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeManageVolumePrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeImpersonatePrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeCreateGlobalPrivilege	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: 31	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: 32	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: 33	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: 34	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: 35	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe
Token: SeCreatePagefilePrivilege	3284	chrome.exe
Token: SeShutdownPrivilege	3284	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe
3284	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 1268	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe	88
PID 4636 wrote to memory of 1268	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe	88
PID 4636 wrote to memory of 1268	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe	88
PID 1268 wrote to memory of 4936	1268	cmd.exe	90
PID 1268 wrote to memory of 4936	1268	cmd.exe	90
PID 1268 wrote to memory of 4936	1268	cmd.exe	90
PID 4636 wrote to memory of 3284	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe	93
PID 4636 wrote to memory of 3284	4636	ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe	93
PID 3284 wrote to memory of 4872	3284	chrome.exe	94
PID 3284 wrote to memory of 4872	3284	chrome.exe	94
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3732	3284	chrome.exe	95
PID 3284 wrote to memory of 3904	3284	chrome.exe	96
PID 3284 wrote to memory of 3904	3284	chrome.exe	96
PID 3284 wrote to memory of 5108	3284	chrome.exe	97
PID 3284 wrote to memory of 5108	3284	chrome.exe	97
PID 3284 wrote to memory of 5108	3284	chrome.exe	97
PID 3284 wrote to memory of 5108	3284	chrome.exe	97
PID 3284 wrote to memory of 5108	3284	chrome.exe	97
PID 3284 wrote to memory of 5108	3284	chrome.exe	97
PID 3284 wrote to memory of 5108	3284	chrome.exe	97
PID 3284 wrote to memory of 5108	3284	chrome.exe	97
PID 3284 wrote to memory of 5108	3284	chrome.exe	97
PID 3284 wrote to memory of 5108	3284	chrome.exe	97
PID 3284 wrote to memory of 5108	3284	chrome.exe	97
PID 3284 wrote to memory of 5108	3284	chrome.exe	97
PID 3284 wrote to memory of 5108	3284	chrome.exe	97
PID 3284 wrote to memory of 5108	3284	chrome.exe	97

C:\Users\Admin\AppData\Local\Temp\ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe
"C:\Users\Admin\AppData\Local\Temp\ee06f493c0933e9a790f322fa32fb7186f5735a6498dd096d65722380226b2ab.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffe27919758,0x7ffe27919768,0x7ffe27919778
    3⤵
    PID:4872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1720 --field-trial-handle=1916,i,864187706075828693,13999102250581112771,131072 /prefetch:2
    3⤵
    PID:3732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1916,i,864187706075828693,13999102250581112771,131072 /prefetch:8
    3⤵
    PID:3904
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1916,i,864187706075828693,13999102250581112771,131072 /prefetch:8
    3⤵
    PID:5108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3180 --field-trial-handle=1916,i,864187706075828693,13999102250581112771,131072 /prefetch:1
    3⤵
    PID:4248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3216 --field-trial-handle=1916,i,864187706075828693,13999102250581112771,131072 /prefetch:1
    3⤵
    PID:1808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3736 --field-trial-handle=1916,i,864187706075828693,13999102250581112771,131072 /prefetch:1
    3⤵
    PID:1852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4912 --field-trial-handle=1916,i,864187706075828693,13999102250581112771,131072 /prefetch:1
    3⤵
    PID:764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5532 --field-trial-handle=1916,i,864187706075828693,13999102250581112771,131072 /prefetch:8
    3⤵
    PID:3628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=1916,i,864187706075828693,13999102250581112771,131072 /prefetch:8
    3⤵
    PID:4900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 --field-trial-handle=1916,i,864187706075828693,13999102250581112771,131072 /prefetch:8
    3⤵
    PID:1516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5172 --field-trial-handle=1916,i,864187706075828693,13999102250581112771,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4604

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
07d5b1dac3ccf59e5813a4565efb3e76

SHA1
cd2d043cf82c3213225a0ce229849a0df00ca6a3

SHA256
1ed59a872b5f23d258e5977744c9370384bba9c0a174275d28dee85f3e471755

SHA512
31ce69879494d315fc2e55eb62b52cd0eb83b5d6e0a5486813733ac94168d51fe48cb8180f560a5043e47e9a61dfce71098dcc3ea7ac196c3c238864d1ec6210

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\85a909ac-8490-47dd-8ddd-a1660fc24a80.tmp

Filesize
16KB

MD5
3dfe9508751b2c637bbb43fdb0bd2ac3

SHA1
176e7985dc9ee6023f4334d3c2546996746c9530

SHA256
127f7e0ca7a4b9d0656113d91eccfde0bea8b30189bdf14ec13d0e648a088da4

SHA512
2bd876b8f81e6e88c9b2e673787be3d15ae17c43edc971f538c2778b362d048a6e97fde1dfa2054c85452cdc85af976f598ba7e7c329044cb8d41a80380eb939

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
98bd0259dd10fa5e555af3664aa95c0c

SHA1
79334e01318cec3c0997263fecad97245887f612

SHA256
d74810c1964e95dd2087e4199000c70bf01d959d7593730d7766fcd36be8f02b

SHA512
e26546d05db8d640ec9b2f95a287d478ef183ca8de609e64bd7b6522af5d54f801f065aa4b9d92f715508eeb31dcd0bab1ae726b2ea1f45ce187a5e540ffdd3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
003b121b241e620f289d0d8e6cc6d33f

SHA1
4d9f12e1ec122899a2ce3b176d7b9799fe18bd97

SHA256
d165322d78dfeb3c88d87a6f67ac688436447618bf699cbdebf7a3ef73cb81a4

SHA512
b744329f0bc6923167263882e5042a977a8f677a7175248ecf6093fa862f4e7849d6d355c994fcacf893b86bfa308d450bd7279772ed53389400b00274de7d3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b836f9e663d9978983de4e31af81d274

SHA1
c0278398c7ea34a704097b2e4a6d260e79c04af0

SHA256
54bfc39fa678a31154be307378add2307d610aba121073a5a511d40994d830e3

SHA512
b3cbf8756347d018f033d5c64db69da3befa8336e672aebcbd4befb40973c888306da9f7c510643cd5347789b6048d9ace876b7e666cffce01e68da9fe27647f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3e9bf85b6d36420b082ab77ae82f4d1c

SHA1
3e95dba32d19dbaa93f264337a7db19b65c72574

SHA256
627c530e5e534e24c3f4325dd820cb696854a8991779722ee4d30ee45a60a52c

SHA512
6c7c584b0aef130e45f466799d5d981fff94c187107e05642d2df00f39e5b2ba5a885cfe772da072a5d8de4641009ccf5178b0c788af019f26df95b31b1c73f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7f1bce2df26cea9ec1bac625aeb2dac5

SHA1
edc0d9d2898d5506fbdc574da8a42469dc66acbb

SHA256
b34a6f7eff51d8afaaf079301b092dbe9d40ebfb117e9f294dcae47469f7a947

SHA512
2fbd42c7201d7c3c36f7db5055cb9996c8d16f79eac8f1fb9cfdfa1bb28b9c95e97d864b11dc062de91fb5a05c813496a4f71e40763ceac0d9e312367a28f6e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9a106fb7a565123d4146fb2e006a8894

SHA1
a4ac0d2caccfdf8447509ffbe625ec99a7aeb2fc

SHA256
7fdfc60fc54d0632307f7cdfb052cf25d5dbfd44911f2004f2cdc2e288c26561

SHA512
e0ee12186b951b6d17421224d8a4a3be3b92aa88fee0b60caddb779164e825059d6f5e2268454969cd5fb80fe41454d7a585306fef7417d8aa5993367c857710

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
58cbd6b533d1ef4a1405ec78b8a75a4c

SHA1
11a16a9424645d0aa1c981bf03bef0a8d17e5c56

SHA256
04b5005c845cc88bceef15163534f2e8ba711fb4b4f434f478cee5fae5232821

SHA512
1aff6e5533da69c7f9f2f9ad3c4078c492d7340a552cdca2e902e8e6259dbf6f0472a3ac12ae7c6497e0acec9a22d03de4d2e3fb68ccf4506ca1707f7f4292e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
2956e36e73d469d8ffeec4e5f9e4d02f

SHA1
659f9963051e4d2944f7b0e1a231ef059f1a45de

SHA256
12ca9bf43c4e0d9007a5a76c72c354828fad1a37c157354ad492f83d9aaeedd1

SHA512
81f4bfee2e4020bb264cf03e4a34518f82b855fd3ef700fe8694d82a354d553170f11c60ff76e2b45e6a49b951678e8d6a2b136612b948c29af7857728a77413

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
256KB

MD5
6ab2cf7c88ccf5d31cc9ebe643555c15

SHA1
e83fe466407ec55ef566690b77327ce7455ca2ce

SHA256
a6127b2a77a3d68cfa67ae39cdad58df860487b849997bc7f255ccd5b9ed38fd

SHA512
f3360f1f503acf589752ff744407f7d423b4ea824661353acf1ab5704b411047c8854ecfd1b179637f83ea3b5b6e0b8b701aa627add1ac32c76c433b0f58d7a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/4636-32-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download
memory/4636-0-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download