d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c

Analysis

max time kernel
150s
max time network
148s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
17-03-2023 10:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Size

1.4MB
MD5

9cda259e49a9bd48616921186a85f9b4
SHA1

8c4d06cb8564da89edd4cb410f835a324770fd1c
SHA256

d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c
SHA512

15efb7ca3a65f9f7a646567dfbcc15924cc5a82d2756bc7f573685fe7fd283264ba50b5f1ed414e40b55b7e427f9decb11dcecf23aa00045b3fce225c487c050
SSDEEP

24576:tVYkTpy0OVnKhXJ04BJFKA3wRKB7a9WscrmCqeQrEPz5hatrW:zpJOl8xFMRy/SeQg75INW

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe

description	ioc	process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3152 taskkill.exe

pid	process
3152	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133235209153103844"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1308 chrome.exe
1308 chrome.exe
2620 chrome.exe
2620 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1308 chrome.exe
1308 chrome.exe
1308 chrome.exe
1308 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeAssignPrimaryTokenPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeLockMemoryPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeIncreaseQuotaPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeMachineAccountPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeTcbPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeSecurityPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeTakeOwnershipPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeLoadDriverPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeSystemProfilePrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeSystemtimePrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeProfSingleProcessPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeIncBasePriorityPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeCreatePagefilePrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeCreatePermanentPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeBackupPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeRestorePrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeShutdownPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeDebugPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeAuditPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeSystemEnvironmentPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeChangeNotifyPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeRemoteShutdownPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeUndockPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeSyncAgentPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeEnableDelegationPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeManageVolumePrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeImpersonatePrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeCreateGlobalPrivilege	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: 31	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: 32	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: 33	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: 34	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: 35	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
Token: SeDebugPrivilege	3152	taskkill.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe
Token: SeCreatePagefilePrivilege	1308	chrome.exe
Token: SeShutdownPrivilege	1308	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe
1308	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.execmd.exechrome.exe

description	pid	process	target process
PID 2060 wrote to memory of 2676	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe	cmd.exe
PID 2060 wrote to memory of 2676	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe	cmd.exe
PID 2060 wrote to memory of 2676	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe	cmd.exe
PID 2676 wrote to memory of 3152	2676	cmd.exe	taskkill.exe
PID 2676 wrote to memory of 3152	2676	cmd.exe	taskkill.exe
PID 2676 wrote to memory of 3152	2676	cmd.exe	taskkill.exe
PID 2060 wrote to memory of 1308	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe	chrome.exe
PID 2060 wrote to memory of 1308	2060	d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe	chrome.exe
PID 1308 wrote to memory of 4616	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4616	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 3028	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1416	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 1416	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4728	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4728	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4728	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4728	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4728	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4728	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4728	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4728	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4728	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4728	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4728	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4728	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4728	1308	chrome.exe	chrome.exe
PID 1308 wrote to memory of 4728	1308	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe
"C:\Users\Admin\AppData\Local\Temp\d1965b109f9ad8124f5bf8eac86603b4f59c5d2accc2fdc7cf7642bf02f7990c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffaa44d9758,0x7ffaa44d9768,0x7ffaa44d9778
3⤵
PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1856 --field-trial-handle=1768,i,13265011056113139054,9348760011777824261,131072 /prefetch:8
3⤵
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1768,i,13265011056113139054,9348760011777824261,131072 /prefetch:2
3⤵
PID:3028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2068 --field-trial-handle=1768,i,13265011056113139054,9348760011777824261,131072 /prefetch:8
3⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1768,i,13265011056113139054,9348760011777824261,131072 /prefetch:1
3⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3088 --field-trial-handle=1768,i,13265011056113139054,9348760011777824261,131072 /prefetch:1
3⤵
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3552 --field-trial-handle=1768,i,13265011056113139054,9348760011777824261,131072 /prefetch:1
3⤵
PID:4688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4904 --field-trial-handle=1768,i,13265011056113139054,9348760011777824261,131072 /prefetch:1
3⤵
PID:3204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5092 --field-trial-handle=1768,i,13265011056113139054,9348760011777824261,131072 /prefetch:8
3⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3592 --field-trial-handle=1768,i,13265011056113139054,9348760011777824261,131072 /prefetch:8
3⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5272 --field-trial-handle=1768,i,13265011056113139054,9348760011777824261,131072 /prefetch:8
3⤵
PID:4272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5032 --field-trial-handle=1768,i,13265011056113139054,9348760011777824261,131072 /prefetch:8
3⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 --field-trial-handle=1768,i,13265011056113139054,9348760011777824261,131072 /prefetch:8
3⤵
PID:412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4608 --field-trial-handle=1768,i,13265011056113139054,9348760011777824261,131072 /prefetch:8
3⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5264 --field-trial-handle=1768,i,13265011056113139054,9348760011777824261,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2620

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png
Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js
Filesize
20KB

MD5
0613953b85e01936083ccbe73d86870b

SHA1
90b0fe4792ebc9e29448bc5f91d1bd88ee5fc2da

SHA256
a3de04d3653bf83574aab2c86b3a2b46c85f001061250cc5c981549a83dec2be

SHA512
a687d57499adcffaa687d42d1cb9cbb8932abac8c44673f888e233869582718d27659b3d9367ffe9fc5bdc5442ab7ca2a6150b8352b49bf95cbd8cf7214636cc

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js
Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json
Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
b45d340b5e765faf746942895df7eb48

SHA1
00921a87aaecb60ed5d9b2f92d5dd5cb10f283e6

SHA256
286739ffe33b64a4712cb5afd421d2ebcfa7ded55e642c9c9d7744b6623e1710

SHA512
48cc449e6cc9666465c50eed0d8882d21e7546420bbbffab08e46cb04d8ae206ef14e0f837216d93f181a9c1f60c1d6e4610fb30c3af4fa91681e9d2f2d55470

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
15d69c7b4cd54fe0aaa94d46b5d3882b

SHA1
81ddc2eb324a9fb48fcbeac2cd9d49af7e3740a3

SHA256
0c8a72d1f8e64a7d1aade12ef0d495594e71863014c3a3b42ca32d48d806fff0

SHA512
fb0d2a69aff4b9370ab145c0c4bdc03bc5e323598f88f870fa34d7767a14b168fb83ba58515292b1ba232e4e69601f5fb882e9e0cd68b18bc9a13f0ff70f7cf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
4797a86459f9ef660fb51840bcb00423

SHA1
bd70878e0c1eb7f1f6aa788cc6ed957b3920482f

SHA256
ead065a9c68466341c1bfead0018df73c45e9bf8c299729e4e52fffaffccd73b

SHA512
50673fcb51f2174c765ad9deeb906c530599045836f0ebf4ca973b5c427ae678a783f04c89de9011e70592cc4f1f9b53115c41140997620e3b6bb3e5a77cce98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
5e44d013b2568280dea9233e565aeef1

SHA1
e2583307d01a76a3dee0de0d277348e8921d12b9

SHA256
1c3d1a8abcf4ccd25edc6f74f3c0bf93b315b70065f6d78ceb18edda80f26ad3

SHA512
b7919dfdaf0628e841802c1a19576787b861ddbd7bfb2014c16f393a169ce415363e3c68f9e8fbfa80c4107b652cc0f6f2a3cfa10841dbce05062905f4eb14b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c59e2cd5-914e-4c01-8240-d344fbf135ec.tmp
Filesize
874B

MD5
becb5361824acaea51ab43428a186852

SHA1
767b35b2a4850ed6479665df50ee55f89ea646e0

SHA256
e3a5ee7a84df59e9f7c4febe931ef504023cd64894aeebee84ffab4bb324547d

SHA512
4280468307c7b1fd21b9e1a412f3a3732b3f29f31ee7a9505f5d45ff75ab296a7d99fc6831306ecc7ce44139845eae8ee39e29e569e1c3b4914166af1a6a0c56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
c703f5161e68370f8f8e09c83118cee1

SHA1
cb81707fae8297d32786744e28f346af124f518d

SHA256
100b11a6b890dfb90c051b87bd885c8440a3600b52bef319c75e12d8fdff4f0a

SHA512
b2f4a7f8560f797759400661a0a5f07ebfeda4e03efecaa643a4f9035923dfabe4238110f3ff9e10ad9d21a48c77491e768e181bd0551ef454c06d650fe389a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
18701c6975df8f92a6c256eb58ef80e9

SHA1
95c598378474af41a37c5171c6e0edcacf4ddfeb

SHA256
6010c27886ad787bcc19b2df359025fa6e417f1c3c9694765ac74ee5caa9781d

SHA512
339876a4190c3d366e77e7f8d819eef328fdd037582485422c5d98557eab11ef6a80189367c58c8c235816fcbf8b297749c7be05bbb92960c1627dcc9261e14b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
11KB

MD5
e18a9cdc9c0ce0ff4717287678ae863f

SHA1
7fdc7eda1db64560c5a72e4c1f8ef8280d96aa42

SHA256
6791fb3bad0f67a943555c766a126296acc425cebd99fa563d0e938ae5639e7b

SHA512
1c0e068a5b6e5d1441d2acca2e32adac13fca96ad7af16d9f6b3268f9bceb8554a4d62351398d9de17b3ecae861e4219a9625329d6021ba75218fdcc08591088

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\dda912bb-15f1-4261-82b7-5782e4ade3bd.tmp
Filesize
5KB

MD5
fd504ba648dd00ad7ae6e29d5db3c0ef

SHA1
c28b9b255a7c103bbe64d88db06531fb5d636cad

SHA256
3cd324e87a6c3ac16d28941d0c662bbdb1299b3e31514d9f63434fe3253f0876

SHA512
5d3c435e4d7d7d32a548049b12da1a314f50d7e7272291de4c4608f5d07aa4a3d74df2d5edb3722d75a2a183ccfeb33ffe1f0fb9c8c2f787949074155782589b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f87ef1f9-fa88-4180-8410-f60cec080902.tmp
Filesize
11KB

MD5
56122b1c9366057badda7af8c0baf595

SHA1
61267082e3bae30defc1b5050bafb87ead851431

SHA256
8842f4fa1920321a422dd26468b9ef5f76df14a05c4dd8d2cc6b336b70605942

SHA512
8773c268f945f097483ff2eef8ed7401ae34cdb7e74f01eadb2f5e475f4f58b723d978914822d92bdd24636315299c33ec04d05412082f8a89ca1b4e33197da8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
143KB

MD5
6e2ad806e7bb91db09098d0f6d5c7276

SHA1
c768848413d3b480e016d75113af4f98d22fbb3e

SHA256
2f3196d38c5749b8e04d28c2bc596fa7bc0a3fa998b7d5706d2aecd0859971c4

SHA512
ac6b2940e9e9d368294c535a953d74d4a9c00e07dd7db81df2a6f8623be00e827f127715bc7127089d0a6632349bf3532f988997d41fd46b79f95937fc5d0b99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_1308_MJLNPEEYKXSZLAXB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit