eec0c93e748bc4743d04a0d092cc9109e30e03e63f69c35a2724e43f7ecb3044

Analysis

max time kernel
150s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
15-03-2023 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Size

1.4MB
MD5

ec0eaaf2f6c0a07dbc2b91222654f40e
SHA1

7b3b71146dc254b5af567c6d78854e4c3d4f2f85
SHA256

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f
SHA512

0bf772eca332e741199197a8de59dbf117e0ec8bf249c78d3d900a8ba374453dcfce5d11224a4a08476ec333deb0604392245d08abb6072bd729b495ce6ced27
SSDEEP

24576:8GU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRDY5hoSQ:XpEUIvU0N9jkpjweXt77E5WF

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe

description	ioc	process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1548 taskkill.exe

pid	process
1548	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133233639739800740"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

4816 chrome.exe
4816 chrome.exe
4816 chrome.exe
4816 chrome.exe
4116 chrome.exe
4116 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4816 chrome.exe
4816 chrome.exe
4816 chrome.exe
4816 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeAssignPrimaryTokenPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeLockMemoryPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeIncreaseQuotaPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeMachineAccountPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeTcbPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSecurityPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeTakeOwnershipPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeLoadDriverPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSystemProfilePrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSystemtimePrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeProfSingleProcessPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeIncBasePriorityPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeCreatePagefilePrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeCreatePermanentPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeBackupPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeRestorePrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeShutdownPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeDebugPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeAuditPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSystemEnvironmentPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeChangeNotifyPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeRemoteShutdownPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeUndockPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSyncAgentPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeEnableDelegationPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeManageVolumePrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeImpersonatePrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeCreateGlobalPrivilege	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 31	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 32	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 33	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 34	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 35	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe
Token: SeCreatePagefilePrivilege	4816	chrome.exe
Token: SeShutdownPrivilege	4816	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.execmd.exechrome.exe

description	pid	process	target process
PID 4152 wrote to memory of 4996	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	cmd.exe
PID 4152 wrote to memory of 4996	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	cmd.exe
PID 4152 wrote to memory of 4996	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	cmd.exe
PID 4996 wrote to memory of 1548	4996	cmd.exe	taskkill.exe
PID 4996 wrote to memory of 1548	4996	cmd.exe	taskkill.exe
PID 4996 wrote to memory of 1548	4996	cmd.exe	taskkill.exe
PID 4152 wrote to memory of 4816	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	chrome.exe
PID 4152 wrote to memory of 4816	4152	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	chrome.exe
PID 4816 wrote to memory of 3080	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 3080	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4488	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4480	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4480	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4476	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4476	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4476	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4476	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4476	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4476	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4476	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4476	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4476	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4476	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4476	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4476	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4476	4816	chrome.exe	chrome.exe
PID 4816 wrote to memory of 4476	4816	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
"C:\Users\Admin\AppData\Local\Temp\7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffc571d9758,0x7ffc571d9768,0x7ffc571d9778
3⤵
PID:3080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:8
3⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:2
3⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:8
3⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:1
3⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3092 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:1
3⤵
PID:3344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3584 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:1
3⤵
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4932 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:1
3⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5148 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:8
3⤵
PID:1812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5292 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:8
3⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5288 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:8
3⤵
PID:1380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5592 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:8
3⤵
PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:8
3⤵
PID:96

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:8
3⤵
PID:2144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:8
3⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:8
3⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3400 --field-trial-handle=1740,i,10216738945969374487,5681466979752220420,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png
Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js
Filesize
20KB

MD5
b94514954e65b815b69927079224c339

SHA1
815a598a4881c665dfa78f1dbcd1e4407686e29c

SHA256
fed0cf5b1fffc69cf01a1d88107217b23ab4beddf213164749e0ba0e1c290278

SHA512
cb4866a337be0e9469fe3c5cd67b9349419f025486fecf82e3c183a5554fd0a8002aa9f7d89cd58869abb6964b6a28b90fe4dc2f2d2dadda48d5dfa619118082

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js
Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json
Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\799beedf-c68b-4037-bf19-6e633f7a8cdb.tmp
Filesize
5KB

MD5
efdd766b861efd9684e30b908f073bf0

SHA1
cba3ee95ef48fb01fb8e06a99afc870901cd8fbc

SHA256
d388c0add63bc62ad26e975b03d6ebadf17c311f0076fb5719415e4f05d2f34d

SHA512
4d0b0c15626ec82d506f2a49787399826e85aae60338ce79e939df35c9178be3330b12a367378de7246bec5ab7df7d85962a8c73784e28783e3f8c144e045b07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
3b6e37a0e1e5a7e8a114049df2a97782

SHA1
715f85ee8accedef9c9dc7a1350efff8c407977c

SHA256
b1feacef81204697bf6cfef2c4660632353af2e2ef78aeab896a884936410252

SHA512
4cd7f0c50e84b73fe04a47b54cf9647b5c1ab02094743c383dde9d65c1548052042c914470263f6c18fffcb081c7e940b22c4502fa951ad0d5b2642953a83dd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
dbf7eb7a8f97b767f9a30b4bacc96432

SHA1
17c501b7541ca1f6a7879136cac528fa54dd45e4

SHA256
0c189279413d7e2d332c46a63964de98aafe21280566803c5dbb2867ecf058a5

SHA512
544d50e1d949fb5c3c3909c0b08a4110290602bfdd61b0dc08248d209d644a8634ad9f07ef0da2f9344794d0bb2bbb153b31378515b60f234a2c1b84cbd33949

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
7856e48077d3880fedd9a635e44412ac

SHA1
06ac508d395e6d3d2ef8b52491dcb8ae59893ad1

SHA256
5650f242d8b04907c01676e882bd1db97da0c051c8aa619b6ac5b228e47047d2

SHA512
ba63cba01c6116c6811de709f078cde262b2151bff9d943cc8746f0955479c84422fe683881f1daf73ef04195da67d16940502fbd8b4a0b430ad63cde8a23530

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
f412b86ed943192d4f8814b4b32042b6

SHA1
c576686526c7a928cdbbf8495d454adfd6b5e21b

SHA256
89b59107a3413af54a46e407b395b3461b708b76bd2439ebd82d88dcdaa41180

SHA512
a4530d22da0788e2183a7ab93135586679458bbb368d92ce825dfc1dd74172aa1df5c93392a4b88ffe5d9f671cd9fccac48cf00d58498023cafe4f5a5567a589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
868B

MD5
26cefbbfa9f8fd011326ccf47ab9318a

SHA1
4d9be5289701c293117ab88521e9ab9c9cbd78a9

SHA256
fca65cdc0a79e572e03f38f8f4e182239b739e44fdc6d188c18452d9c44bfa63

SHA512
2f48e080675ca20939a6a1b9344ca896a5a9006e0bedf533f04ab6603e8fc8640b8af89ab69825c11f976b7acff8f29f63369e66ca8e87225638ea0022f5b012

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
7df382a7c04f19e0a680543a9af5dc20

SHA1
643abd7920fe1b8e07fc1cb340c828ab263dbdd4

SHA256
a2d01bc1af91991d2ec8d1182277391d1b8347303b0012a9943f1a882b12bedf

SHA512
7eeb69ef486b3aa70c88f8ccb8e093c1188198d28baa3ff776efcea0d97c4baa38bc6418478f0d1a00a162b16aa425138e95061fc95e95cfa5bde950084b7292

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
b22d2c94e4cf4f939985aea24ebab5b8

SHA1
0fc7ed41445bd35271987e8789946c799379573a

SHA256
70f9a96fa813cf2904ed3cb195c3f61fc5ae2c0d50afd2d9eb3e0765dad76d3b

SHA512
05c41189a1da479ef02340878303677dfdd7d3b7d8af91703d0be3cf4eb61e522233128938f25a7d3d9e30bb990ee8c614a11c1ed56c8e0eb675d0b9014542c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
11KB

MD5
bec7d9643f4ef0dec8a7b41bc56adeb7

SHA1
26be25ac4da9577a0047ed73c85a786ab626f455

SHA256
230b1ea085750045b3515b65362785c146abfae87d143d0af5221934af5944dc

SHA512
9f8b66585879cc13494ac6c5db3ae3617be115014c892c68b3ee73d01b5dec5d05ed5ba008040a13c952708e66bc31a13c706c06e412549cea318354fd12e569

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e36d8060-604a-43bf-ab0e-5c8d46f45a7a.tmp
Filesize
11KB

MD5
4a3cb919074369f6d36ac37ee949ca56

SHA1
8daeeb12dee88e43d86ee2faa88c8df8725daf06

SHA256
68634f9473472938c65068fcd5f840124939bca46ec75c06b5fdf94bec0afca1

SHA512
969795da1392fb77b7e367c78356d438e9db7d72c10a450e27e3729ad1eb9f74e04805d65a0d3cd8f7f2383b17fff063bc3323e7cabed6f8e1a812be56ffb081

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
146KB

MD5
813ba652898be8617bae16f646180484

SHA1
1aa12192f8c39dc89dc08732feb17e7eea6b52c0

SHA256
27344d941c3879b05b0eaea693b651a8a555d44261f1fff0901c0066b0dbb298

SHA512
8f684458202c1dc67bd2392e0390980426ad11680ca71715c8b86f9c5ce5e253b18c411999b7d327850711187d848d5c5a2945ca8992d18aabc437f1ae7f3adb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
146KB

MD5
d605cfbb8bb72e84b23b40ee7eda7a05

SHA1
10aa89ffca967c83de1a43a26d03cbfe73108929

SHA256
4dfe21b8ab94b80266ac09ea4ee74a5fd51a01d4301b65c3c6aa4a846458089c

SHA512
54da8c36c1e3a1b03f36db1f1df14b7cfeba5333c37c6377bd3b298bf31d0bc27a7795709f0889d3d03dbc150ad3fdc67d9f2e29b7f65c5a014606a9300eebb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
147KB

MD5
479d62bd2ce6d3377e889f27c1e2e29e

SHA1
e1204c5b5d20d2a61f75bfbf328722868c70f6df

SHA256
dc4403411158edab48ae1c15fe8bc3545528b9c9a9104884baa4093a764df99a

SHA512
28b1f8f7825a4ade2eb96321c0aea528780afcee04ac16b7024c2ee0f5fbce08f0ec7958c051297572efc1ef4a31a008ce35abb73eb3935ba3b0476fde3d039e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
72KB

MD5
1cf9439d61022a1d45c2365b6db30378

SHA1
c65dd9e85411ce2d43965f0738179c254d22e810

SHA256
279ec3cb6e96fc813ba757e115322024afcd101eaea6a5940cb4be9e9b82c8d4

SHA512
b61fc7dbf3dca6aa78991f0acd7120a716854cbbf7600dec52c60975968812fc111a4e77eb2dbe6543c54cde4eec774312e8945cadbd00378881ba38f822161f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4816_RPCLVGCYNSXCREMP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit