d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e

Analysis

max time kernel
149s
max time network
149s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20-03-2023 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Size

1.4MB
MD5

3c8fe4c17702db8378648d00b8d93c4d
SHA1

2563da3b8b0192abdcdb4f580615314de377908f
SHA256

d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e
SHA512

34ee22da04079fb30531ac484f2b06174789ff177517f4f97763fb889851d71e7004ee13fcde6c2dd7cc54de7252614b446fdf9940aac74fb44b794e1c83fad4
SSDEEP

24576:kGU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRLB5hQS4:PpEUIvU0N9jkpjweXt77F5+x

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe

description	ioc	process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3128 taskkill.exe

pid	process
3128	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133237607978154660"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

1500 chrome.exe
1500 chrome.exe
1500 chrome.exe
1500 chrome.exe
4540 chrome.exe
4540 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1500 chrome.exe
1500 chrome.exe
1500 chrome.exe
1500 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeAssignPrimaryTokenPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeLockMemoryPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeIncreaseQuotaPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeMachineAccountPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeTcbPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeSecurityPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeTakeOwnershipPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeLoadDriverPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeSystemProfilePrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeSystemtimePrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeProfSingleProcessPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeIncBasePriorityPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeCreatePagefilePrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeCreatePermanentPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeBackupPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeRestorePrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeShutdownPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeDebugPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeAuditPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeSystemEnvironmentPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeChangeNotifyPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeRemoteShutdownPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeUndockPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeSyncAgentPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeEnableDelegationPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeManageVolumePrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeImpersonatePrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeCreateGlobalPrivilege	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: 31	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: 32	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: 33	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: 34	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: 35	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
Token: SeDebugPrivilege	3128	taskkill.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe
Token: SeCreatePagefilePrivilege	1500	chrome.exe
Token: SeShutdownPrivilege	1500	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe
1500	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.execmd.exechrome.exe

description	pid	process	target process
PID 2148 wrote to memory of 4228	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe	cmd.exe
PID 2148 wrote to memory of 4228	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe	cmd.exe
PID 2148 wrote to memory of 4228	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe	cmd.exe
PID 4228 wrote to memory of 3128	4228	cmd.exe	taskkill.exe
PID 4228 wrote to memory of 3128	4228	cmd.exe	taskkill.exe
PID 4228 wrote to memory of 3128	4228	cmd.exe	taskkill.exe
PID 2148 wrote to memory of 1500	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe	chrome.exe
PID 2148 wrote to memory of 1500	2148	d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe	chrome.exe
PID 1500 wrote to memory of 1940	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 1940	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4952	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4116	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 4116	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3680	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3680	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3680	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3680	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3680	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3680	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3680	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3680	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3680	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3680	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3680	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3680	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3680	1500	chrome.exe	chrome.exe
PID 1500 wrote to memory of 3680	1500	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe
"C:\Users\Admin\AppData\Local\Temp\d175121e36c818ddf701b41c4489263d719f3ac824d8d0897cdcdb1dd0f3ed0e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffeb3b09758,0x7ffeb3b09768,0x7ffeb3b09778
3⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:8
3⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:2
3⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=480 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:8
3⤵
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3048 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:1
3⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:1
3⤵
PID:3244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1636 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:1
3⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4844 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:1
3⤵
PID:852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:8
3⤵
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3804 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:8
3⤵
PID:1912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:8
3⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:8
3⤵
PID:1824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:8
3⤵
PID:232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:8
3⤵
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:8
3⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:8
3⤵
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1848,i,9070800869387254825,10535887060883219419,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4540

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png
Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js
Filesize
20KB

MD5
3bd84d64c10d9146055f4f1307c0b5f5

SHA1
f2748ea726b9e545632fc13251e26ab4625c1310

SHA256
70e01d1de6e48b1e70e94f8d2751bfed7da6f011698afa3f4f7232be940faa1b

SHA512
4187538e60d4acb4e70ee485b27695039c69f2aa3d85624544c8081d422a56b8db404b8393f31e766a50e25eb38120fa49b5e93a701c601210ad620b3515faff

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js
Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json
Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
393c36657267b816f535d7b6e6d73ed5

SHA1
6f1eda3b060de65012968854ebfdebb03ca14201

SHA256
e15d9d4e325acb64cbae842b0fbc455c12482200dc41700b61f65f35f06fff63

SHA512
8c44c70ca6d833b7ee6ead0113ee3d2fe2d525fd72406b5cb9ea32a391af90fdd3ad6224e23d5d4561549a91476560d59f68b63d527d815c6531ed57a594f64d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
9b4051d774d1cf6608440343da22a0f5

SHA1
c53c88acfdb02db4238a9cfd738d6d9e2dd66124

SHA256
17c0b509ebce927b14626b09206940b1166f20481a5a57ec5b154201a078aebd

SHA512
545862259f487b774e2fca7ab3bf029d3f916d8e78661caad7a03230bab1ec21e93f38d83e84613d90e1f620bed3165e3e1d8f81581cea0be15b9a4e85db619d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
70a46cc46d009455f0f0e57b32992f3d

SHA1
07bb68cdec163d59e5e9d96b84bf4c710be25a85

SHA256
35a2cf671d2a0d7ed32e20bd609881b47864c319967dcd9bcf9e4e732f17a299

SHA512
bc45b564d772f0c739ffcfedd3d1d01b65515438ff29b5b11f09b695e349c2cc2fd5470217eb7746956baf24eee516000522f7cf269e371c4322d1008d9e279c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
28b1daf7fda676f9d17ab5bc7d04e1b0

SHA1
c81db95452954af7121681e8f469745f4a9e11c9

SHA256
8e15c7a80f36bca59a911a4f2948f57464b6791abea3c6835b168072d5d32ea1

SHA512
643d5f0cc317e07ddc2a2e4cfbb9e1262ae1097a9d17158d136ece386d7fbb09304124f5359f5ffb38162f41d1bae1ee46cbfb6ac2b0764a099e259d1ccafee6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
c77305bce07e976d3f295f062eea8e26

SHA1
b52a3e967bc76913bbf783e79f8dd58e45bae8ce

SHA256
df06e6820f4f80d7cbce5db8efc5a709c658b28f20c664d5f86fadc4c7930530

SHA512
77e92baf6502e5784ec8354b2e855c4b0d4710c38cb087ed3dc3e5c004bf12105aff81806b6c262b571d43bd81a3a572579812fb471708b08371e63c685a9826

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
f6cbc6bf23b8fce15e8cf1d6da4fc4ed

SHA1
7546d00a9755093217d6215b758e7eb46e19288d

SHA256
2efd7d96f98fb96f399fd334f082f7f0f11e9bec39ee15dcc000e877404fe984

SHA512
5924e2b337aeff3d0a8c530980ffa8ae84da947da58272495bf0f40032a63b439eab6e8ffc8bd117da25f1ca23111dfc3a18f828c7e771a4db10dc50a0209005

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
ce8650b8332b3b0649334517317b90b5

SHA1
101a6ddb10c695c6d9612e06ef19b7705b080a21

SHA256
5975ad3df2258064f6c3089354b7dec076dc2ca250ba120fabd3ee6375a8077c

SHA512
b5479bba495f17b74840246b9d89eb65226f9e9cdb87d6b57b2512c4a1e85c4c17c380d76d4ec2f69e8c48f274e6e30330d2c2ddf4d7c3abcce805b7d64831ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
ac267f78b1a2e0cdbd9e5d0690d89928

SHA1
49cb3e8d6b70a0c77ae40ebca1d6b4d0c726266c

SHA256
7be5357db009dea8d1a35a5b6ccc16687e0b69fbe672d0cef8e9bb4000a1c654

SHA512
6e4efbcf11e0522c1a6daf0b3bf7d01c390c0ddf1ca9c1b005d16a9bb9a52655a06e370cca578ba47bc2cc5f8b4bd42834bf1ce8f73638521d42d76709feb1d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
11KB

MD5
bec7d9643f4ef0dec8a7b41bc56adeb7

SHA1
26be25ac4da9577a0047ed73c85a786ab626f455

SHA256
230b1ea085750045b3515b65362785c146abfae87d143d0af5221934af5944dc

SHA512
9f8b66585879cc13494ac6c5db3ae3617be115014c892c68b3ee73d01b5dec5d05ed5ba008040a13c952708e66bc31a13c706c06e412549cea318354fd12e569

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\da6d0e18-89a3-48b5-9788-0ed295fb42cd.tmp
Filesize
11KB

MD5
4a3cb919074369f6d36ac37ee949ca56

SHA1
8daeeb12dee88e43d86ee2faa88c8df8725daf06

SHA256
68634f9473472938c65068fcd5f840124939bca46ec75c06b5fdf94bec0afca1

SHA512
969795da1392fb77b7e367c78356d438e9db7d72c10a450e27e3729ad1eb9f74e04805d65a0d3cd8f7f2383b17fff063bc3323e7cabed6f8e1a812be56ffb081

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
146KB

MD5
1a19393f5e6c0bb00039cb67c501979a

SHA1
fbd8abf7e204645a052fc60330cf568e9143f7b0

SHA256
77db23ca834452bf84a0b3008d22786a53865dee37a76670411d26b720b0b393

SHA512
5d1a69120859852613c200a4d3951cdd2d196e926dcc643ca0610f34852106007567ba94f30414fb270d0660a0dae03db7c5e115dfd5fc8fe8e7572a43cd2d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
72KB

MD5
9c97a8416f2347ee70166dada0c441f7

SHA1
26e594a49ab29cfef42f8f28d559c80c8dedce2b

SHA256
efbd58e59c2abb2750f9842f41ccebf037c312ddc3e0012ba915e6860be66535

SHA512
0f37eb305951c898d3543eaa323cfa92b3b727f916424eba7a6423110943d8879d3a85abcdd80528a930635f8f730c40982f1fec161971202f76ebd2ca1f0768

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
145KB

MD5
2a5a1b2ac4982782a2f72d6f4a6b494b

SHA1
9b194f709ee6e4f6ad8ebf141c6f32891f70807d

SHA256
6db5df1280712adf397a8e92b3bfb82875deb3fef1db3dff4767947750b60b0c

SHA512
b5dfb7571a56840bd66ebf0cd71e7270af7f43f875549189cee69718bacbb58228f303fd32bcba918456856bf68a5c7a66233e1e832dfb8847b0ca8286193096

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
145KB

MD5
2dc4756c622a58d29317f40758d17b0b

SHA1
9e79b59d3808cf4422b85f032ef5eb2bc6b88690

SHA256
fa98d677e079edbcf46d1fd6611113af9cf754435dd6abd549a3b4e33bc5f5bc

SHA512
5a567ba4b29540e98a45147e6cacea0cb53914d4956d5563580d4fcbad9c7754e1f10d505aa3dfd5950822fd7af8646f2467f8ebb6a87fe4a328f4fe9385811a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_1500_KPZHIDELFFNDFAZR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit