eec0c93e748bc4743d04a0d092cc9109e30e03e63f69c35a2724e43f7ecb3044

Resubmissions

21-08-2024 09:31

240821-lhklrs1clc 10

15-03-2023 13:27

230315-qqcy4sdc65 10

Analysis

max time kernel
149s
max time network
149s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
15-03-2023 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Size

1.4MB
MD5

ec0eaaf2f6c0a07dbc2b91222654f40e
SHA1

7b3b71146dc254b5af567c6d78854e4c3d4f2f85
SHA256

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f
SHA512

0bf772eca332e741199197a8de59dbf117e0ec8bf249c78d3d900a8ba374453dcfce5d11224a4a08476ec333deb0604392245d08abb6072bd729b495ce6ced27
SSDEEP

24576:8GU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRDY5hoSQ:XpEUIvU0N9jkpjweXt77E5WF

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe

description	ioc	Process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
4116	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133233640779758567"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
2124	chrome.exe
2124	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeAssignPrimaryTokenPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeLockMemoryPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeIncreaseQuotaPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeMachineAccountPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeTcbPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSecurityPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeTakeOwnershipPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeLoadDriverPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSystemProfilePrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSystemtimePrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeProfSingleProcessPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeIncBasePriorityPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeCreatePagefilePrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeCreatePermanentPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeBackupPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeRestorePrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeShutdownPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeDebugPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeAuditPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSystemEnvironmentPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeChangeNotifyPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeRemoteShutdownPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeUndockPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSyncAgentPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeEnableDelegationPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeManageVolumePrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeImpersonatePrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeCreateGlobalPrivilege	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 31	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 32	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 33	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 34	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 35	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe
Token: SeCreatePagefilePrivilege	1992	chrome.exe
Token: SeShutdownPrivilege	1992	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe
1992	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.execmd.exechrome.exe

description	pid	Process	procid_target
PID 3240 wrote to memory of 1700	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	66
PID 3240 wrote to memory of 1700	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	66
PID 3240 wrote to memory of 1700	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	66
PID 1700 wrote to memory of 4116	1700	cmd.exe	68
PID 1700 wrote to memory of 4116	1700	cmd.exe	68
PID 1700 wrote to memory of 4116	1700	cmd.exe	68
PID 3240 wrote to memory of 1992	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	70
PID 3240 wrote to memory of 1992	3240	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	70
PID 1992 wrote to memory of 2256	1992	chrome.exe	71
PID 1992 wrote to memory of 2256	1992	chrome.exe	71
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 2780	1992	chrome.exe	73
PID 1992 wrote to memory of 3144	1992	chrome.exe	72
PID 1992 wrote to memory of 3144	1992	chrome.exe	72
PID 1992 wrote to memory of 992	1992	chrome.exe	74
PID 1992 wrote to memory of 992	1992	chrome.exe	74
PID 1992 wrote to memory of 992	1992	chrome.exe	74
PID 1992 wrote to memory of 992	1992	chrome.exe	74
PID 1992 wrote to memory of 992	1992	chrome.exe	74
PID 1992 wrote to memory of 992	1992	chrome.exe	74
PID 1992 wrote to memory of 992	1992	chrome.exe	74
PID 1992 wrote to memory of 992	1992	chrome.exe	74
PID 1992 wrote to memory of 992	1992	chrome.exe	74
PID 1992 wrote to memory of 992	1992	chrome.exe	74
PID 1992 wrote to memory of 992	1992	chrome.exe	74
PID 1992 wrote to memory of 992	1992	chrome.exe	74
PID 1992 wrote to memory of 992	1992	chrome.exe	74
PID 1992 wrote to memory of 992	1992	chrome.exe	74

C:\Users\Admin\AppData\Local\Temp\7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
"C:\Users\Admin\AppData\Local\Temp\7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffea1a59758,0x7ffea1a59768,0x7ffea1a59778
    3⤵
    PID:2256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:8
    3⤵
    PID:3144
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:2
    3⤵
    PID:2780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:8
    3⤵
    PID:992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:1
    3⤵
    PID:4556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3080 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:1
    3⤵
    PID:4120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3568 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:1
    3⤵
    PID:2720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4908 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:1
    3⤵
    PID:4260
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5088 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:8
    3⤵
    PID:504
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4824 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:8
    3⤵
    PID:1668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5128 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:8
    3⤵
    PID:1508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5300 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:8
    3⤵
    PID:2680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:8
    3⤵
    PID:204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:8
    3⤵
    PID:2384
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:8
    3⤵
    PID:3972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:8
    3⤵
    PID:4440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2696 --field-trial-handle=1684,i,5589756906429428008,16719770020648869211,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2124

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
84447ae7225c82f63f7e042be5e95670

SHA1
f0b211647bbe540f3c89a1d043eacc58b03a1962

SHA256
dcacc6f69571ccd6cefa754744343e9756b9616e22bfb2be6b3c77becd1118a0

SHA512
3f4ab277ee2c0c59e5b3b2e85926ee3d2c14e88ae7cb06f965ef30688e8ea00a1933858f6c0cae609b3ca896f9dc48d27d3693e030862723208491dd99011bb4

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\280ad9cb-c74c-48dc-99f7-126c04f4b09c.tmp

Filesize
146KB

MD5
1d8bbe24d63dabda7d995ea81db639cb

SHA1
6469428aba5a041ccd84b8b748a3d4f2e6382518

SHA256
223224df1fc52feb71dbcb718c069687abba189508bd2c6af0363e3a06096bae

SHA512
b3d2ceffd981b42daa2e1505aad043d1bd8367bf6c4c2b6cc8ce794fba58f24bb74ff8ff7af51f527af8c4e31089979e5083fabd230fa60b6ac7d3a09db8b877

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6c18f79c-dff0-4351-9a88-4cc805809669.tmp

Filesize
11KB

MD5
4a3cb919074369f6d36ac37ee949ca56

SHA1
8daeeb12dee88e43d86ee2faa88c8df8725daf06

SHA256
68634f9473472938c65068fcd5f840124939bca46ec75c06b5fdf94bec0afca1

SHA512
969795da1392fb77b7e367c78356d438e9db7d72c10a450e27e3729ad1eb9f74e04805d65a0d3cd8f7f2383b17fff063bc3323e7cabed6f8e1a812be56ffb081

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
876d752529fe22654e3592accc308957

SHA1
2df4fc28ffe85142e86e08387f698821eef0d1ea

SHA256
afabf73ab5da4d45ec6371ed69d957059e97fa61a22af4db21447eff35adc1bb

SHA512
2375be67a87cc5f49ea349008f5310523e841a7d803e64fdad564b381d03d06744c318d43d9e458236cb7ed851c55c120bd24def63fb6e08992222accd4c17cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5bb91110e7e35e97066b47d4f7def137

SHA1
f0a17101f471668e513a61783d238c1f41e439db

SHA256
3e19384aa85535d4e12ec9056ae1915c9cd89c52b30ca21625a19d9c313d2051

SHA512
4db9a9f6fdbe8622329dcf617ac7de3443d9a3a60f65eee704443109241ec2db72519d18fb79eb91e83931d116925938102ea7460d5368c11ce61cbf59599fe4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
fa8885edb73a69d155f9af0103f36395

SHA1
6547cb3a13ee1e707d99935dce4f418b6f28c48b

SHA256
0e7ce69e174e8a44dc7362c7b9e939d6ea81a53c196e2944a62f2f3b3e028bdc

SHA512
9ee244461d368e3dcb8ab44074db615be9d77864e0734b11eb949b53d1d9a43c1c540906940b646b49875fd542e9a69b6b9b0e42395337e1630c12782a6bb950

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
e27f397eb074b7cfd4cd2c67d4f9aca1

SHA1
1fd7b18e294262d6afe656b937d866b25ed1d2da

SHA256
7c681572af46c9e1114998797928da316751a0b44ad461b5be183209fc92a0f4

SHA512
e0672f7a5f68da2d7138a9afcbdd1237f7aef632df10ecb2fb29f452ef5301ad1b456207ab3c1667deb251062e68ff7bea67b8e71df81f331393e20cdbc0ba7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
f95d278d929e3cb7c2e86f9ff34c335e

SHA1
04a349d44aaa9ec48561ee5f2959c85a07643cc5

SHA256
52d5875fd83490997aa15c53454efcb7d1bdadc17bf50c9f4adb4e028669a3e2

SHA512
6319b039d34f2317bc80474accbf54d594096d3e0c01953e087618e60a9dbb4f5c2f672d337f207e9f549c2db35069af4821869a83d6b146b19b040802c5377c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
868B

MD5
118f9294732dc640d7dc1192e39eadd4

SHA1
253b8e3c1a7264bc09d1f7e7d11a1427dd7f586e

SHA256
65d345f5fb8ffb722212e367d0f1e5cf35ec870799a3fd6659d81b5a8fe2b1d0

SHA512
ad85654efeed4bb0686bafbab6b0351dcf6e7e7d72726350c5c0fad6069ae6a403a128e089059512f1528d854f0665c67c4ba379a6221aa0c91402a654fedcd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
97e87407c3c826966f76d956c4febc9b

SHA1
9cbad319b57bb916738384568fc06a9bd1286798

SHA256
8425bfa4d0d2179a3a0ce48cef0f89af5f49aeb6d372f78f5b7bb3390aa2e8dc

SHA512
77928c1d8da9351e14e80087605507b1741ac6b29e8a6fd5a14af957bed2312285a7d00e1ca3dd2181134401e7e6217888bf25c464aa28578413f8c18504c7ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
595aaf63f9355a11d92a9c6ce731fe0c

SHA1
a34ed7f11d6906322ba5bbb1cb3a061d933b7703

SHA256
fb468e751894904e58cef41be440f79f1d01c1cc9314e4cfa6f728299a5a4530

SHA512
865b462c04908487ff65d5bf642d96863aafe8c16f3dfaf021ebfaf16237a2c95d61d2184da4c36e7ce848cb2a779274acca1f0f7b7005865319240297acb421

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ba148e2122d9ae55131b5686134dd94b

SHA1
8a54198966ec5d2dbb284dfd02f9bdbd920aa0cd

SHA256
9ee02224ae0488756895158a84347eb18d64d5cb758ab9e812fd077710a2efa0

SHA512
086834f9709c806d1ba437f3235bab9bc76648720cfd8b59d12754fb07ee7cac98c2588ad89e5a3cb9cdb3346278216d5be43f54f3fbb8bcc8a34b0dc3952310

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
11KB

MD5
bec7d9643f4ef0dec8a7b41bc56adeb7

SHA1
26be25ac4da9577a0047ed73c85a786ab626f455

SHA256
230b1ea085750045b3515b65362785c146abfae87d143d0af5221934af5944dc

SHA512
9f8b66585879cc13494ac6c5db3ae3617be115014c892c68b3ee73d01b5dec5d05ed5ba008040a13c952708e66bc31a13c706c06e412549cea318354fd12e569

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
147KB

MD5
c29d4edd9896e39d2add2217edc09f34

SHA1
79c9ae34ccbaaf4c3bb0d1d1e314502f8b263538

SHA256
0760c34d53bb62ec9cdcc87296d56bbb7ace0444d34fca321a3a39742515e117

SHA512
5693acddd0015132dbfeee75ab5ee3f2b6969308d73c8dd53a5f10364cb6c1ba56856fe9e6521cac1f6d0f4b5b666dce9cb1b6bceac65438f34c1bbeb03e598c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
a949afc2bca47638b00e91e5658d2aa3

SHA1
5e22bd858185723a568c7cc42ac06d2ac1420dbf

SHA256
adbd3bb70ee44c26650d8365a424ec87148906f0c7e84fcc424ddc405ac38211

SHA512
0961add8ba1ac81cc79bbf7a1c3d6359689b1dc1f1024b6a2fc007777f19d4a5eed4b6cc77c53abede02f30f92773aa694daa70db00362a5c9e2249a34f7c0e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
146KB

MD5
8fcf0e5205a308aa68615ff5498df1c4

SHA1
41d366a903d4fc2bb4eba302f1f1c65a45ed87d4

SHA256
7d4fe160b0f31aab70ba71eb6d38dc270edd9548514cc3f44c6ef36cdbe5d4a2

SHA512
d433dce4e8b290f22dd8df2a805bff0b193c4b0a32f4f365aa63b69bc396913825405e3d37cd2b9498a50c66945918c396d8867a88fa14ef4945cc460065be96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_1992_WUELXKOHOIZRTOYF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit