fdfc298e48aaab6cca0c63206b71f955611be65bbf8f07d4625376e1bf9b980a

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13-03-2023 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Size

1.4MB
MD5

8533b416cda231b2d9bbe68a563b69e7
SHA1

cd30d0f120fc722765268e235f70db947509b408
SHA256

0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6
SHA512

943367b78d793a89376d73e81142db7cd14310af555d2501a2d505ec38091d28f2948c8ea64503612a01bcec3ff778e1efba2f348ea65191debe2df3d2246cc8
SSDEEP

24576:uVYkTpy0OVnKhXJ04BJFKA3wRKB7a9WscrmCqeQrE7P5h1thW:KpJOl8xFMRy/SeQgj5vDW

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe

description	ioc	process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2960 taskkill.exe

pid	process
2960	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133231713202858230"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

3432 chrome.exe
3432 chrome.exe
3432 chrome.exe
3432 chrome.exe
5052 chrome.exe
5052 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3432 chrome.exe
3432 chrome.exe
3432 chrome.exe
3432 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeAssignPrimaryTokenPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeLockMemoryPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeIncreaseQuotaPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeMachineAccountPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeTcbPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeSecurityPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeTakeOwnershipPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeLoadDriverPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeSystemProfilePrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeSystemtimePrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeProfSingleProcessPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeIncBasePriorityPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeCreatePagefilePrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeCreatePermanentPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeBackupPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeRestorePrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeShutdownPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeDebugPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeAuditPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeSystemEnvironmentPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeChangeNotifyPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeRemoteShutdownPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeUndockPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeSyncAgentPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeEnableDelegationPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeManageVolumePrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeImpersonatePrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeCreateGlobalPrivilege	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: 31	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: 32	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: 33	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: 34	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: 35	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeShutdownPrivilege	3432	chrome.exe
Token: SeCreatePagefilePrivilege	3432	chrome.exe
Token: SeShutdownPrivilege	3432	chrome.exe
Token: SeCreatePagefilePrivilege	3432	chrome.exe
Token: SeShutdownPrivilege	3432	chrome.exe
Token: SeCreatePagefilePrivilege	3432	chrome.exe
Token: SeShutdownPrivilege	3432	chrome.exe
Token: SeCreatePagefilePrivilege	3432	chrome.exe
Token: SeShutdownPrivilege	3432	chrome.exe
Token: SeCreatePagefilePrivilege	3432	chrome.exe
Token: SeShutdownPrivilege	3432	chrome.exe
Token: SeCreatePagefilePrivilege	3432	chrome.exe
Token: SeShutdownPrivilege	3432	chrome.exe
Token: SeCreatePagefilePrivilege	3432	chrome.exe
Token: SeShutdownPrivilege	3432	chrome.exe
Token: SeCreatePagefilePrivilege	3432	chrome.exe
Token: SeShutdownPrivilege	3432	chrome.exe
Token: SeCreatePagefilePrivilege	3432	chrome.exe
Token: SeShutdownPrivilege	3432	chrome.exe
Token: SeCreatePagefilePrivilege	3432	chrome.exe
Token: SeShutdownPrivilege	3432	chrome.exe
Token: SeCreatePagefilePrivilege	3432	chrome.exe
Token: SeShutdownPrivilege	3432	chrome.exe
Token: SeCreatePagefilePrivilege	3432	chrome.exe
Token: SeShutdownPrivilege	3432	chrome.exe
Token: SeCreatePagefilePrivilege	3432	chrome.exe
Token: SeShutdownPrivilege	3432	chrome.exe
Token: SeCreatePagefilePrivilege	3432	chrome.exe
Token: SeShutdownPrivilege	3432	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe
3432	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.execmd.exechrome.exe

description	pid	process	target process
PID 2392 wrote to memory of 5060	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe	cmd.exe
PID 2392 wrote to memory of 5060	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe	cmd.exe
PID 2392 wrote to memory of 5060	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe	cmd.exe
PID 5060 wrote to memory of 2960	5060	cmd.exe	taskkill.exe
PID 5060 wrote to memory of 2960	5060	cmd.exe	taskkill.exe
PID 5060 wrote to memory of 2960	5060	cmd.exe	taskkill.exe
PID 2392 wrote to memory of 3432	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe	chrome.exe
PID 2392 wrote to memory of 3432	2392	0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe	chrome.exe
PID 3432 wrote to memory of 4576	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4576	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4004	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4464	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 4464	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 5008	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 5008	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 5008	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 5008	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 5008	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 5008	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 5008	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 5008	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 5008	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 5008	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 5008	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 5008	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 5008	3432	chrome.exe	chrome.exe
PID 3432 wrote to memory of 5008	3432	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe
"C:\Users\Admin\AppData\Local\Temp\0ec0926fe0443ee7227293334021072b3d82f3d1d1685c67fbf1505603eab8c6.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb36059758,0x7ffb36059768,0x7ffb36059778
3⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1760 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:2
3⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:8
3⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:8
3⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3188 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:1
3⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3324 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:1
3⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3872 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:1
3⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4788 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:1
3⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4032 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:8
3⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5240 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:8
3⤵
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5408 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:8
3⤵
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:8
3⤵
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:8
3⤵
PID:4024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:8
3⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:8
3⤵
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5368 --field-trial-handle=1836,i,13848753396127512367,4182979409659178107,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5052

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png
Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js
Filesize
20KB

MD5
6d4c3eb1dc3eeae8b89791559936471c

SHA1
4c8b32bd3c4bdfb0dbbaa640ef105331aed356bf

SHA256
defa2d0f08b17913b6c24100ac3b307d9232d368569b9cb5ffa115492025bcd7

SHA512
1233a4a48803bae794d0a2fc5404af4ac249f00d221f00c81dab1493548ab32e823320deac2fc5d66c1c5e7aee0f83c73eb62e65672cb9e18ee8149979deb4a8

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js
Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json
Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
aaa4367aa0899674fffc988e5dabc118

SHA1
2377e936fd1be53560d3598002f6e7e8636b4dfb

SHA256
ea62475082507927ecb24697e12915c1df57034588fe6e5b934f36911b6dfed4

SHA512
4ad43fe2e5dea39686251bf51a466b6a791304424d87b57f22b872909146a871b414e3e239a2334df88507aed32a36558dcec5002f92c9ef807469083135fa0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
b40d0dd332be1da6139c7eb5052fb2c2

SHA1
65d1d1eb8a93af4b8a0be73ff3562b67a0b6f8a3

SHA256
f667751f1a04cfe39c9011ba10af0d8e0cdcceb59b8331160bfc5975f5e259aa

SHA512
40fcef937bccdc92d46ba002ff8a4770972d2c622718db3be2efb517fa15e57f78627e668810a05d9c888c502142a7b74815f8dec74b9a07ec8633d1558cbd22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
8cc5a06c9756f0223e2db01fbc1740f0

SHA1
780670c1f979f3f49fcd1ae850bab4ffb2ea6669

SHA256
45aa3b76872e42105a31f4ccb453e709cae322a9a07873c1b4297c3f2b7fa279

SHA512
3fcdcd3e34a44ee017d823088e2744d9e86df95c32c2edbd2db8b985dcd627f3cb06a83f842afa8ea2c59a201bafb41eaf99f5528b1b6b658ab4acb57910a028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
951bc2fa793559ee31eda5660a850072

SHA1
26229081a2bc14860da0ecf85b50fb9ca852d173

SHA256
627301f649a3cea74ab6ea85adab17cdd151431523c52ea37d7d2a0c053b8204

SHA512
421104b9376aa9bd19bf3653b248b5846edd1b2f6ab5ed2d5bb2d7a231012ce1609f31776078fa565d3adfdf853e81e4a1e56ac8a3e5f56718734c152e783009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
b9924433719cf8f5e43f892b5dd70a08

SHA1
326736776881025afa0f1eef570239c4d44a7e26

SHA256
1e49657433937320e93fce27b6f2e4a7d859f988d4d663423d823a7cb95a9bee

SHA512
380ad05488ec3cd8f8812117bad8cf5f4d48bc0ea0260e5511f7a07ba4f903686576ea24bbfc3f4d0f3cea85c52ec61123c00dbd1cef8d6d80187a19b34ed753

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
705166bee8849a5f8dc81dc72cefc320

SHA1
d06336a546212c9a86ef0613ccd03ccdb2d554f2

SHA256
b06fd13db8771c650b7dc82ec9024768d3dd7d3c618831d2f675b01532d2bcd7

SHA512
7aac1d8f3a57f49c384afb02daf321d20c9f093775a2ddef644f1cf01226d96cc69e02234785b2747d3c40a2ab82046b0aa424f983910cd5e30e7024799c9991

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a7e080dd856031cd305fa9b4010a1975

SHA1
dd6ef63dc5e88e62a90a30cdceb15b3597863353

SHA256
8570145f366753970e3949ab2e070deefdc7ef115436563caf3a5e46793eb2b8

SHA512
be00dfaf31672994357b58808c35da1cd11fe7637dadcedc4ec0d785877e890a073bc5447e863d4bb68f2a068bea43a7849b252be87595e811502ee5a89446dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
1cb8a8299921d6e0c6aebf0d6d422bda

SHA1
84772e39f1361d103801faaeea9ba09a66d0ed2a

SHA256
6130dcd359cad8069de8f4b0dbfcccc8489af3e4be81cfa1862f6276e4172e33

SHA512
62069d87faf3568de4efff4512b088b9b9bc35816818d44c205ac95d6142102be664fd3fe929960548c420940c05b68bf238dadd8ac123b6334a2cb378e560f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
493cb18b9d215b07c9708f0036b6808d

SHA1
4a35dcc53d20405c1603ccc803278aa03f634abc

SHA256
8f7937dfa5ead06ed39606bef27e2620ef2a0b050261a7607d16d78511540d8d

SHA512
996a8b728a5cc0a5d1f04745dee72f140a60c9f370b74228376719a77f361e8c8ef8eeb727725ba69ae408fe6ec45ac4bee714f70d3a4319ef1b9013df439afa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
146KB

MD5
9c28e3c16ad48c0e10fe90774f037128

SHA1
d03a5dd428d7d159a57569ad23da686037f9fdd1

SHA256
7dd9a0eeb923a104b4aef5404d06445176955abf04b7213b0bb2ebb5583fc58b

SHA512
312b65b4715a75aafb28a222885cbc1d039234ee0a8a9b40b90838a425210668bc9693da2256f9b52adfa9ee5b8f6c01dbda23f2f03bd7827b806b6e70aa8da0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
72KB

MD5
1ab64e97cf5db4feb6faf7197356131a

SHA1
070e46cb13766a82d5ab04fa88bd945516575679

SHA256
2540ed429728343e03dbbc3946b9bab1999d46196086b4e56c417bcce809c447

SHA512
3bd8baed82cc02b689fcb62642181ef7634ddd2fc3faea96823a2a01e2a6137de3c74ba7bd503feac4e10395dd9250468151d2c42d5126dc7d78e18bdbb7bb01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
145KB

MD5
3b59698cdf162d53aeeac86b4f52ff85

SHA1
d54ebaa32e5f2fa763d0b25c7fc96a208cac72db

SHA256
4308387a29956c9b1ed838ff7999e33b5b7f218bbd5d2cd6107b593400c1ce26

SHA512
3e861e755bf13e9dfc0082b4862e9599c0227106c303df58f92755456feb72a6f9252f7c6cef17b8be411b8d76b874b4c7f5d498b917655462842c8ae9cd85eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
146KB

MD5
08f387da82d39ed482256707eb24eacc

SHA1
93866a4b9ac536195abedd40d9461cbebee5e093

SHA256
083d9b1f5ab9153f8b8bfd2473892aa72b251ef582747fe2560cc5932e381635

SHA512
f22223d3c4f4ad8e95bc517f4235b3b28ccc279651ac8a0b74fcfc369e14e79f8b7503dc6cf7beeaa923f51a518ffaa30dec7f3979b23f7ca37b3a5835fa1bce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_3432_DYHTHBQMBSINVWDF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit