925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2023 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Size

1.4MB
MD5

31852867c5a2cd3d90dfbbe321654389
SHA1

c83539d755f41a33780eb5a2a4b793c9e1891140
SHA256

925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8
SHA512

2ea153c9bb63bf47bfd8b0dfa3fa3ea0dda1cd646e0538b33eba33cbc3073df29164408f10997be197482a72b819a203c465caff00312d6695395defd267e428
SSDEEP

24576:6GU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRny5hQSQ:ZpEUIvU0N9jkpjweXt77y5uF

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe

description	ioc	process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3992 taskkill.exe

pid	process
3992	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133228897384523058"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4048 chrome.exe
4048 chrome.exe
1436 chrome.exe
1436 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4048 chrome.exe
4048 chrome.exe
4048 chrome.exe
4048 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeAssignPrimaryTokenPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeLockMemoryPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeIncreaseQuotaPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeMachineAccountPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeTcbPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeSecurityPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeTakeOwnershipPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeLoadDriverPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeSystemProfilePrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeSystemtimePrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeProfSingleProcessPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeIncBasePriorityPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeCreatePagefilePrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeCreatePermanentPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeBackupPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeRestorePrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeShutdownPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeDebugPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeAuditPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeSystemEnvironmentPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeChangeNotifyPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeRemoteShutdownPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeUndockPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeSyncAgentPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeEnableDelegationPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeManageVolumePrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeImpersonatePrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeCreateGlobalPrivilege	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: 31	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: 32	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: 33	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: 34	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: 35	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.execmd.exechrome.exe

description	pid	process	target process
PID 1204 wrote to memory of 2920	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe	cmd.exe
PID 1204 wrote to memory of 2920	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe	cmd.exe
PID 1204 wrote to memory of 2920	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe	cmd.exe
PID 2920 wrote to memory of 3992	2920	cmd.exe	taskkill.exe
PID 2920 wrote to memory of 3992	2920	cmd.exe	taskkill.exe
PID 2920 wrote to memory of 3992	2920	cmd.exe	taskkill.exe
PID 1204 wrote to memory of 4048	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe	chrome.exe
PID 1204 wrote to memory of 4048	1204	925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe	chrome.exe
PID 4048 wrote to memory of 4928	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4928	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2800	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2180	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2180	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2952	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2952	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2952	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2952	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2952	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2952	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2952	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2952	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2952	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2952	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2952	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2952	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2952	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 2952	4048	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe
"C:\Users\Admin\AppData\Local\Temp\925c6d9fdfbe1d877d2083289f36899747799e57c07348d426518f3014c4b0a8.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0b119758,0x7ffb0b119768,0x7ffb0b119778
3⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1824,i,16274039501091240554,9962069234788358630,131072 /prefetch:2
3⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1824,i,16274039501091240554,9962069234788358630,131072 /prefetch:8
3⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1824,i,16274039501091240554,9962069234788358630,131072 /prefetch:8
3⤵
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3188 --field-trial-handle=1824,i,16274039501091240554,9962069234788358630,131072 /prefetch:1
3⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3232 --field-trial-handle=1824,i,16274039501091240554,9962069234788358630,131072 /prefetch:1
3⤵
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3828 --field-trial-handle=1824,i,16274039501091240554,9962069234788358630,131072 /prefetch:1
3⤵
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4792 --field-trial-handle=1824,i,16274039501091240554,9962069234788358630,131072 /prefetch:1
3⤵
PID:444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5116 --field-trial-handle=1824,i,16274039501091240554,9962069234788358630,131072 /prefetch:8
3⤵
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5148 --field-trial-handle=1824,i,16274039501091240554,9962069234788358630,131072 /prefetch:8
3⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1824,i,16274039501091240554,9962069234788358630,131072 /prefetch:8
3⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 --field-trial-handle=1824,i,16274039501091240554,9962069234788358630,131072 /prefetch:8
3⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4712 --field-trial-handle=1824,i,16274039501091240554,9962069234788358630,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1436

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png
Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js
Filesize
20KB

MD5
0396620dac3ce1bcf347ee944c310e5a

SHA1
33fb5d6f03e2e2a3b829b2140630bac342c3a584

SHA256
ec4b93196b1a236a694334a417deae72280343ada46d11c5dbb4297489979cf6

SHA512
cb4a1829ec3131cb7137cad5e87cc5b20ed09aa03afa288601222014e3925b86ed4648fba23db0664851b5a57236171a839c4cfcb402d0447317e77ae848b80e

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js
Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json
Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0488f96d-7d93-4d13-895a-0b5ecd2c8283.tmp
Filesize
11KB

MD5
50946888df1f28e14cbd7501be8b3640

SHA1
20f08ff5e25de15c6b2c859b58086f5094bbd471

SHA256
a164bb0407892cfaf0c338fdc6b0444ecaecf26c62a6ae0550bf7ecf5c1b5547

SHA512
893c1dd7b8b5f4f2fcbdfcb1030dc5c162cdb326aad6186cb35bb602eaac7697052c13ddba9c1a5cf6f61146cc58945b6515d933f6a109254f81509d27af1201

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\298bc32a-b730-49da-87a2-8b7ecfeaedd8.tmp
Filesize
5KB

MD5
f527c7af12fa72d6ccd9b532e1079404

SHA1
e923d75cf6ea7d4b7a26fad50ba995e0fa931101

SHA256
475bde5e09d3efa4bf2c2536cad9d485edfd2fa623dcfc0b5c47bdb4b0b73e95

SHA512
3683a719497a71666def2a2c5649e2074b9623046f9f5bcd9e390c961a93935a056d5164e44b62c01e54ea77734a199c38425fcdcc9c9c6dc19ac6d761d4467a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
da73db47320f0f6fca4e0f1d32ad933d

SHA1
9d7147969e6668e1aa60ef05f14c7f701a1f06b2

SHA256
4e9682b59ba03631f55f57269c3251867d9132bfe4c91dcf0596f6d1424344f6

SHA512
18b0157cb563c47f7e260ac09d0efa89353fedd1026ddc9a27ab6dacdb0280c1a149a08bf0d6ce7f5e8987338fe8c8a4546b80dd3108e6cd5761210dcbbde831

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
866B

MD5
6e33cc562ec5325393751b77bf189c0c

SHA1
d95ca3cf04013737c66bc2c53f4076bf5518990b

SHA256
518656ddfe8818b9cb1ba20ace095328dbbf9d517eaf923b032ce01c0c6334bc

SHA512
684712d9118a0a18e1af129a799a1dc1e1bfd2356df00ae7ec13d8e58e9e5781ccb3cfdd0df565bc5d8823e8b68dcadef3c0ad0e8a50b5442d57dde57530a4f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
872B

MD5
8d4a355671660df5614b0fd3f5926ae4

SHA1
3b2f479931547c2b87b1fec6272a815a160c8d9e

SHA256
7ed13c1e4375582e88bdccc478829b38575691d7fa090bf4b478fc17053b91bc

SHA512
d22a8106753c4dd151d6507f7efa121ce61ea04bb7ed29a0c8e9e986370291a33eb151275e6ea11fd10ad6d1e70e532367165e21cb517b1ea3564bbebf1bf6da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
866B

MD5
1d8a5155fb2bacab5b59cead59f65127

SHA1
e8da134bd25dbf0daa4f0dd1210c407477b11c38

SHA256
6afab71a9ef67f9a0f3bbcf6e0f3fd966b16bc8a03665071ca713f681b437d49

SHA512
442d0ace5540ed946c9f7a2725a36e31e37bc967a4b7681d399b81f055b2633a2a1282f3c983ad1427289f9887b4e7d3828d2ae38d42eb985df527bd6438fc04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
872B

MD5
680497f746e505bb49b73c71a42dd770

SHA1
caf392fb8a5a37ae2f130f4c99319bc5b7ab69b5

SHA256
1c2950f1ed20dd6aa8659a3ae959081578096ccfe1fa63da350898ccda4a3d81

SHA512
96dca9f314438c052b95110cdee39ff0ff9d947ecb826b47e3737d21547891f420dd0cd6fcc34eacafe2806b7bd4264cfe5352b88fe1c0a354d6f28f5d567daa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
38b812ed5717a4dfe99f87bb639aa191

SHA1
55033a8d3673a19f5169c7d4245c4bc44c73522a

SHA256
7e1c311c9af9b2c92207ca81dfb44b79441dd1633bb4d427cd2b4893dcb6dc79

SHA512
8cf6ac341338c4a748db485902dc0246481f246b24f2c9b21c805c9813ea14fdd00dbe995f3b8d3ee18e4ed2cae7ab49c30086eac17cffe9b7f0e8719db9bad6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
dbc45090fc41fc7ef9a10fdbf710262e

SHA1
15b87f97bf30abc4a9a27484c2d53db8fa4b04c2

SHA256
3edc5eeb85a7c9a4e263db00ee0e21c393a2d8515ac2a8ebb0ff1565f71243a9

SHA512
0d099029b5233dbb6416834536e1cdd19801135509b2623ec1ce0b83b4093ff3b11d192f6fa9d846784f862fd085800c7186e5b7e68d1a3149c083364c4b4994

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
11KB

MD5
2bd089522b71dd2e6569cf4dbd69b222

SHA1
a2b4409d48376f611aa238341e60f4a19f9625f6

SHA256
147f6798ad4cbc68c2404f343db9a3cd4140c3a503233d9c5bf92be4500c6009

SHA512
359037169c91a500df98a13aae3194d1685ba503e6d9545d7473574cb38265821bb364f45b7138c1b81e087e73c8aca8b17837e6510a575571eb78735845152c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
143KB

MD5
d764052501eb0e846d08468e3b78ff9e

SHA1
d52b26530c972e5ee3f445408e11df1a041d2f1b

SHA256
0efa4b309d0c83f49736b761db51a5de8ad7fda99d3e24f45cc3df134e2aa3ed

SHA512
797399bb6a53a62373d444c35c3db86ed7609fc59c4958a4d09e9efb98d6955bdff7081ed91160afa8939e9ec880a57d67fb4e62b755e3819cfa5ef621d40e6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4048_WMVXABJQPZXZKSYS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1436-301-0x00000271C09D0000-0x00000271C09D1000-memory.dmp

Filesize
4KB

Download
memory/1436-295-0x00000271C09D0000-0x00000271C09D1000-memory.dmp

Filesize
4KB

Download
memory/1436-296-0x00000271C09D0000-0x00000271C09D1000-memory.dmp

Filesize
4KB

Download
memory/1436-297-0x00000271C09D0000-0x00000271C09D1000-memory.dmp

Filesize
4KB

Download
memory/1436-302-0x00000271C09D0000-0x00000271C09D1000-memory.dmp

Filesize
4KB

Download
memory/1436-304-0x00000271C09D0000-0x00000271C09D1000-memory.dmp

Filesize
4KB

Download
memory/1436-303-0x00000271C09D0000-0x00000271C09D1000-memory.dmp

Filesize
4KB

Download
memory/1436-306-0x00000271C09D0000-0x00000271C09D1000-memory.dmp

Filesize
4KB

Download
memory/1436-305-0x00000271C09D0000-0x00000271C09D1000-memory.dmp

Filesize
4KB

Download
memory/1436-307-0x00000271C09D0000-0x00000271C09D1000-memory.dmp

Filesize
4KB

Download
memory/2800-163-0x00007FFB28EA0000-0x00007FFB28EA1000-memory.dmp

Filesize
4KB

Download
memory/4760-208-0x00007FFB28230000-0x00007FFB28231000-memory.dmp

Filesize
4KB

Download
memory/4760-207-0x00007FFB27BD0000-0x00007FFB27BD1000-memory.dmp

Filesize
4KB

Download