08670af7d68a021ea6c210b0ab02972a6cd74b2be0df71740528de328b8feeda

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2023, 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

557a35fee4d3df87b51ce386383a74a5.exe
Size

1.4MB
MD5

557a35fee4d3df87b51ce386383a74a5
SHA1

f93d76b3256c3ba685fc8b9702fafc2dd8b724e0
SHA256

08670af7d68a021ea6c210b0ab02972a6cd74b2be0df71740528de328b8feeda
SHA512

41bdcb6f89f25b589fb57cda296a39e3052eaddde46602f85c548f693715ec7c52c6750a7e091570674a03a6f1aa9defdf81f23a6c1d5d37267f2fb711a9aa9e
SSDEEP

24576:RVYkTpy0OVnKhXJ04BJFKA3wRKB7a9WscrmCqeQrEfl5hrtEW:/pJOl8xFMRy/SeQgN5Z2W

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	557a35fee4d3df87b51ce386383a74a5.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	557a35fee4d3df87b51ce386383a74a5.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	557a35fee4d3df87b51ce386383a74a5.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	557a35fee4d3df87b51ce386383a74a5.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	557a35fee4d3df87b51ce386383a74a5.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	557a35fee4d3df87b51ce386383a74a5.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	557a35fee4d3df87b51ce386383a74a5.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	557a35fee4d3df87b51ce386383a74a5.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	557a35fee4d3df87b51ce386383a74a5.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	557a35fee4d3df87b51ce386383a74a5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1344	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133221731054803458"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4188	chrome.exe
4188	chrome.exe
2220	chrome.exe
2220	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeAssignPrimaryTokenPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeLockMemoryPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeIncreaseQuotaPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeMachineAccountPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeTcbPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeSecurityPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeTakeOwnershipPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeLoadDriverPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeSystemProfilePrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeSystemtimePrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeProfSingleProcessPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeIncBasePriorityPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeCreatePagefilePrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeCreatePermanentPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeBackupPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeRestorePrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeShutdownPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeDebugPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeAuditPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeSystemEnvironmentPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeChangeNotifyPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeRemoteShutdownPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeUndockPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeSyncAgentPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeEnableDelegationPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeManageVolumePrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeImpersonatePrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeCreateGlobalPrivilege	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: 31	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: 32	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: 33	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: 34	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: 35	2992	557a35fee4d3df87b51ce386383a74a5.exe
Token: SeDebugPrivilege	1344	taskkill.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe
Token: SeCreatePagefilePrivilege	4188	chrome.exe
Token: SeShutdownPrivilege	4188	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe
4188	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3928	2992	557a35fee4d3df87b51ce386383a74a5.exe	85
PID 2992 wrote to memory of 3928	2992	557a35fee4d3df87b51ce386383a74a5.exe	85
PID 2992 wrote to memory of 3928	2992	557a35fee4d3df87b51ce386383a74a5.exe	85
PID 3928 wrote to memory of 1344	3928	cmd.exe	87
PID 3928 wrote to memory of 1344	3928	cmd.exe	87
PID 3928 wrote to memory of 1344	3928	cmd.exe	87
PID 2992 wrote to memory of 4188	2992	557a35fee4d3df87b51ce386383a74a5.exe	91
PID 2992 wrote to memory of 4188	2992	557a35fee4d3df87b51ce386383a74a5.exe	91
PID 4188 wrote to memory of 4636	4188	chrome.exe	92
PID 4188 wrote to memory of 4636	4188	chrome.exe	92
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 500	4188	chrome.exe	94
PID 4188 wrote to memory of 3788	4188	chrome.exe	95
PID 4188 wrote to memory of 3788	4188	chrome.exe	95
PID 4188 wrote to memory of 4888	4188	chrome.exe	96
PID 4188 wrote to memory of 4888	4188	chrome.exe	96
PID 4188 wrote to memory of 4888	4188	chrome.exe	96
PID 4188 wrote to memory of 4888	4188	chrome.exe	96
PID 4188 wrote to memory of 4888	4188	chrome.exe	96
PID 4188 wrote to memory of 4888	4188	chrome.exe	96
PID 4188 wrote to memory of 4888	4188	chrome.exe	96
PID 4188 wrote to memory of 4888	4188	chrome.exe	96
PID 4188 wrote to memory of 4888	4188	chrome.exe	96
PID 4188 wrote to memory of 4888	4188	chrome.exe	96
PID 4188 wrote to memory of 4888	4188	chrome.exe	96
PID 4188 wrote to memory of 4888	4188	chrome.exe	96
PID 4188 wrote to memory of 4888	4188	chrome.exe	96
PID 4188 wrote to memory of 4888	4188	chrome.exe	96

C:\Users\Admin\AppData\Local\Temp\557a35fee4d3df87b51ce386383a74a5.exe
"C:\Users\Admin\AppData\Local\Temp\557a35fee4d3df87b51ce386383a74a5.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8aff59758,0x7ff8aff59768,0x7ff8aff59778
    3⤵
    PID:4636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1812,i,13483484182732084217,5622010136952950105,131072 /prefetch:2
    3⤵
    PID:500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1812,i,13483484182732084217,5622010136952950105,131072 /prefetch:8
    3⤵
    PID:3788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 --field-trial-handle=1812,i,13483484182732084217,5622010136952950105,131072 /prefetch:8
    3⤵
    PID:4888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3188 --field-trial-handle=1812,i,13483484182732084217,5622010136952950105,131072 /prefetch:1
    3⤵
    PID:2816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3320 --field-trial-handle=1812,i,13483484182732084217,5622010136952950105,131072 /prefetch:1
    3⤵
    PID:2256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3924 --field-trial-handle=1812,i,13483484182732084217,5622010136952950105,131072 /prefetch:1
    3⤵
    PID:2640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5020 --field-trial-handle=1812,i,13483484182732084217,5622010136952950105,131072 /prefetch:1
    3⤵
    PID:1140
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5048 --field-trial-handle=1812,i,13483484182732084217,5622010136952950105,131072 /prefetch:8
    3⤵
    PID:388
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5280 --field-trial-handle=1812,i,13483484182732084217,5622010136952950105,131072 /prefetch:8
    3⤵
    PID:3548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1812,i,13483484182732084217,5622010136952950105,131072 /prefetch:8
    3⤵
    PID:4500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1812,i,13483484182732084217,5622010136952950105,131072 /prefetch:8
    3⤵
    PID:3432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5492 --field-trial-handle=1812,i,13483484182732084217,5622010136952950105,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2220

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
a057e853886f5f463ad9ce832c887a78

SHA1
9426716d0cf6161b9762e76bd95603bcde6254a8

SHA256
0516fde98cadba1b81adadd44235018a2ff4cadd7099cc0965fefa612686e1d4

SHA512
e9c928e5560d100312d4b2e8317eeb7c6bb21eaa271dd7232100ded5d6772c14e42ebe423e1d7dbaaec959e65173afe940ac6ad45b351c8dc30a24636a77bea4

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6ab2c10c-2ccc-45a8-b620-73221336f9fe.tmp

Filesize
5KB

MD5
a119fbac251daa9719bfb11137fbfe32

SHA1
434ce6910a122c9d7a69dc032a411a7b75d566c8

SHA256
32918c3a35765a390f4ef2afc6e993f6348c8d2c9dc642fec8a43c208df1b875

SHA512
3dda4b6ee75aeb8d3ff005476363530d94519bba29ea6fd0dec5a8f6699728c965e7ec2da11d88189e5c8e00b82d907c472dbe97def9a77479c81004b6d340c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8a22b1bb-3698-4702-817a-81a8b4c18619.tmp

Filesize
11KB

MD5
50946888df1f28e14cbd7501be8b3640

SHA1
20f08ff5e25de15c6b2c859b58086f5094bbd471

SHA256
a164bb0407892cfaf0c338fdc6b0444ecaecf26c62a6ae0550bf7ecf5c1b5547

SHA512
893c1dd7b8b5f4f2fcbdfcb1030dc5c162cdb326aad6186cb35bb602eaac7697052c13ddba9c1a5cf6f61146cc58945b6515d933f6a109254f81509d27af1201

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
cdf685888fd4e0e9f54174187b203063

SHA1
90efc782c46caf612927af044eb0345f1ae20729

SHA256
759d1b80971e5ad2051e92d47cf75e9bdffa2a1615b38e0239fead8ccddfcdae

SHA512
0ec0a45a3193fb056fb74c29c29abd7748ff725e9122b05f9a94924eeec96c4674ed909e0f74f125f21973221b976728b60e3b7b08c96fa23602081d9a3b392c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
9d1c228c81a09df02134b57a47517bef

SHA1
4c5727b3536bf030cae16a9cbb47e9685e01f800

SHA256
9ca5fdfd27ffc0297da852b14ab8a1c9d38d78c056f8134628f5fd90e42ca5e0

SHA512
50199fc6386d1696f5cf9ef4c6f7ec53bc9c22c87c76bff7347ef8a0df069ee9cf72e7295409d2d4219bcb306aab845a88a9669f4927d7962b964435bb5f4c51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
868B

MD5
412708b9db4d111b7b27f871dc7ab963

SHA1
94bda917969dabc7ee62bc745117e06473263251

SHA256
bfa8d441b451b59b7e8a857ea1ed9c56378dc3485e9bace78cf21d62daa2d109

SHA512
03217d232b5dd99cda8dd8586bafd02ea04a229247d9a5c7ed4ba3cde46e546a1bd9ad3bc8ccd1731cbfe9856f793a9ea9f54c48336128deb776d34cc25d1d0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
542f0a0c03b514b75cd2e02d0088d7f9

SHA1
0eea41012c795ff42b729d1f2671bf46beb1463b

SHA256
9b428a05f61cc325784fc3cf39fa6f82da60221e0f143ab588b6b64f33d6bc08

SHA512
5fb474abd69d8fa588e75d0b091902e25ba7f5d936c82fde975fe92ce854444d8b80423410d122909c3c7e6a33c71edbd58dd2c4e0e1c0f69accd5551255b1bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\f6892972-8e9b-4d29-9aad-78b0e7512c2a.tmp

Filesize
2KB

MD5
b141bf8efe5581582a8f43d873208c1d

SHA1
ce66f3482e113af44630e90e5bf8b73b3275be16

SHA256
36d8e1c2c3b071f1f6582e6c110debfc68a36c53909a37724a6f24ef9d256cf1

SHA512
02f4e67edfc8e684fbbae79fbaf5f20fa037f97daeed3e4502b38982d8a609fbede40eca29f63d5e07d82b03a25050386112cae4c7e9284e54a25ea450b4879c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
579c1941b363716983938dffccd622df

SHA1
4ff2ed5b9f1291c466819c23add6c626140515a5

SHA256
48e893817e035a66369f2f0faa5b4ca7a1162039b33b24a83cbd2c59e16c6b6b

SHA512
dffa2412692c97746fb05497ed5ea503532dc40fa572e06f74be3ea8a5a7634bb06a5459bcb6efbec58a42c697ad6ae9a735255f190e7553eb4190786a54efea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d926725a91931c068cc35335cc717d60

SHA1
b674557f0d7e33bf78f7789351150920c41da633

SHA256
2b1191451b20c5e3396b33662019f4c0a944b2bd86cb851c663701ee3100c172

SHA512
3c5dbdbb767de3604b5b8b7e5c4eaaf533aee405e3de2c0d79de982722d41e283ee3c12f4c4c79fc082f0795a90d2f29b736fef719f7eb43e616a4904f338971

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
11KB

MD5
2bd089522b71dd2e6569cf4dbd69b222

SHA1
a2b4409d48376f611aa238341e60f4a19f9625f6

SHA256
147f6798ad4cbc68c2404f343db9a3cd4140c3a503233d9c5bf92be4500c6009

SHA512
359037169c91a500df98a13aae3194d1685ba503e6d9545d7473574cb38265821bb364f45b7138c1b81e087e73c8aca8b17837e6510a575571eb78735845152c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
141KB

MD5
c5354de59db6e083f957ce89b7a87362

SHA1
9e50e1758b8afb9932424c5acec913ade4d85197

SHA256
ffe81264a40c1a8dfe669943e123c9060e887ba7b474ee0fe3c65848523bdd97

SHA512
3e31d9eaed3a26528d323dd5a306743e48479d5b2bbab7ee1e0193b03797570b951231a78d6df7ef38fd6394d8063dcda9a2fdb1a807b81b7e57b098ef5ee4d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
memory/500-162-0x00007FF8CDC00000-0x00007FF8CDC01000-memory.dmp

Filesize
4KB

Download
memory/2220-293-0x00000285881B0000-0x00000285881B1000-memory.dmp

Filesize
4KB

Download
memory/2220-294-0x00000285881B0000-0x00000285881B1000-memory.dmp

Filesize
4KB

Download
memory/2220-295-0x00000285881B0000-0x00000285881B1000-memory.dmp

Filesize
4KB

Download
memory/2220-299-0x00000285881B0000-0x00000285881B1000-memory.dmp

Filesize
4KB

Download
memory/2220-300-0x00000285881B0000-0x00000285881B1000-memory.dmp

Filesize
4KB

Download
memory/2220-301-0x00000285881B0000-0x00000285881B1000-memory.dmp

Filesize
4KB

Download
memory/2220-303-0x00000285881B0000-0x00000285881B1000-memory.dmp

Filesize
4KB

Download
memory/2220-302-0x00000285881B0000-0x00000285881B1000-memory.dmp

Filesize
4KB

Download
memory/2220-304-0x00000285881B0000-0x00000285881B1000-memory.dmp

Filesize
4KB

Download
memory/2220-305-0x00000285881B0000-0x00000285881B1000-memory.dmp

Filesize
4KB

Download
memory/3548-207-0x00007FF8CEBF0000-0x00007FF8CEBF1000-memory.dmp

Filesize
4KB

Download
memory/3548-205-0x00007FF8CDA60000-0x00007FF8CDA61000-memory.dmp

Filesize
4KB

Download