6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

802e1974c79084d3b80ce713a54929aa.exe
Size

1.4MB
MD5

802e1974c79084d3b80ce713a54929aa
SHA1

c65a48fe08d3747202ab2a2bc6821a3f6dd95f76
SHA256

6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8
SHA512

e738c94641b115014abc798142c6a25a70183b266730e7ca76628fd1c3d1654d54e8d1b3869f0b71eae9547c2e983f222cc1507c3acf678fedd26a2dfd6bd92f
SSDEEP

24576:UGU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRTg5hoS6S:fpEUIvU0N9jkpjweXt7785GjS

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

802e1974c79084d3b80ce713a54929aa.exe

description	ioc	process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	802e1974c79084d3b80ce713a54929aa.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	802e1974c79084d3b80ce713a54929aa.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	802e1974c79084d3b80ce713a54929aa.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	802e1974c79084d3b80ce713a54929aa.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	802e1974c79084d3b80ce713a54929aa.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	802e1974c79084d3b80ce713a54929aa.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	802e1974c79084d3b80ce713a54929aa.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	802e1974c79084d3b80ce713a54929aa.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	802e1974c79084d3b80ce713a54929aa.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	802e1974c79084d3b80ce713a54929aa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3468 taskkill.exe

pid	process
3468	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133238717024019525"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4800 chrome.exe
4800 chrome.exe
2996 chrome.exe
2996 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4800 chrome.exe
4800 chrome.exe
4800 chrome.exe
4800 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

802e1974c79084d3b80ce713a54929aa.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeAssignPrimaryTokenPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeLockMemoryPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeIncreaseQuotaPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeMachineAccountPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeTcbPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeSecurityPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeTakeOwnershipPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeLoadDriverPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeSystemProfilePrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeSystemtimePrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeProfSingleProcessPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeIncBasePriorityPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeCreatePagefilePrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeCreatePermanentPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeBackupPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeRestorePrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeShutdownPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeDebugPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeAuditPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeSystemEnvironmentPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeChangeNotifyPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeRemoteShutdownPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeUndockPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeSyncAgentPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeEnableDelegationPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeManageVolumePrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeImpersonatePrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeCreateGlobalPrivilege	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: 31	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: 32	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: 33	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: 34	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: 35	1240	802e1974c79084d3b80ce713a54929aa.exe
Token: SeDebugPrivilege	3468	taskkill.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe
Token: SeCreatePagefilePrivilege	4800	chrome.exe
Token: SeShutdownPrivilege	4800	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

802e1974c79084d3b80ce713a54929aa.execmd.exechrome.exe

description	pid	process	target process
PID 1240 wrote to memory of 2800	1240	802e1974c79084d3b80ce713a54929aa.exe	cmd.exe
PID 1240 wrote to memory of 2800	1240	802e1974c79084d3b80ce713a54929aa.exe	cmd.exe
PID 1240 wrote to memory of 2800	1240	802e1974c79084d3b80ce713a54929aa.exe	cmd.exe
PID 2800 wrote to memory of 3468	2800	cmd.exe	taskkill.exe
PID 2800 wrote to memory of 3468	2800	cmd.exe	taskkill.exe
PID 2800 wrote to memory of 3468	2800	cmd.exe	taskkill.exe
PID 1240 wrote to memory of 4800	1240	802e1974c79084d3b80ce713a54929aa.exe	chrome.exe
PID 1240 wrote to memory of 4800	1240	802e1974c79084d3b80ce713a54929aa.exe	chrome.exe
PID 4800 wrote to memory of 4184	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 4184	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 5008	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2356	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2356	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2572	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2572	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2572	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2572	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2572	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2572	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2572	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2572	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2572	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2572	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2572	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2572	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2572	4800	chrome.exe	chrome.exe
PID 4800 wrote to memory of 2572	4800	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\802e1974c79084d3b80ce713a54929aa.exe
"C:\Users\Admin\AppData\Local\Temp\802e1974c79084d3b80ce713a54929aa.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdac539758,0x7ffdac539768,0x7ffdac539778
3⤵
PID:4184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1784,i,16320829487169101841,3580192942203842223,131072 /prefetch:2
3⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1784,i,16320829487169101841,3580192942203842223,131072 /prefetch:8
3⤵
PID:2356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1376 --field-trial-handle=1784,i,16320829487169101841,3580192942203842223,131072 /prefetch:8
3⤵
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3152 --field-trial-handle=1784,i,16320829487169101841,3580192942203842223,131072 /prefetch:1
3⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3280 --field-trial-handle=1784,i,16320829487169101841,3580192942203842223,131072 /prefetch:1
3⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3856 --field-trial-handle=1784,i,16320829487169101841,3580192942203842223,131072 /prefetch:1
3⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5016 --field-trial-handle=1784,i,16320829487169101841,3580192942203842223,131072 /prefetch:1
3⤵
PID:540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4808 --field-trial-handle=1784,i,16320829487169101841,3580192942203842223,131072 /prefetch:8
3⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1784,i,16320829487169101841,3580192942203842223,131072 /prefetch:8
3⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=1784,i,16320829487169101841,3580192942203842223,131072 /prefetch:8
3⤵
PID:3824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5500 --field-trial-handle=1784,i,16320829487169101841,3580192942203842223,131072 /prefetch:8
3⤵
PID:3576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 --field-trial-handle=1784,i,16320829487169101841,3580192942203842223,131072 /prefetch:8
3⤵
PID:3640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2904 --field-trial-handle=1784,i,16320829487169101841,3580192942203842223,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2996

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png
Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js
Filesize
20KB

MD5
dd010982f4d859a3d8b55401660b5f07

SHA1
3090e7c8ffba16d3f3f7c879274f9e12372ef985

SHA256
a90533d82925164d3da5d3d34031c4726a0f26870fbbff20744896b99aaf2092

SHA512
00076de9f8e69634c7c48878e508a4aa402fc2a841913c379d83e60aee36e972da54bc7ca641450a303e5b3b0ba26750a9f7f072fc53e1552fc1f4fba90c48ab

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js
Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json
Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
6ba035bce48c5993cc984080b977d2c4

SHA1
361d4c4a54787c05389e549b5dd409f9b5310ba1

SHA256
568a020e3d9bf617aded528379ff818ce105d6ae97c4eaad4430fc3360b44afc

SHA512
61b10e4279fdc49e6b701570ffceec77967b38dedff9fc3403ef70a93036f0bc4eb572c6a8c62550ba7d66f05b5e3bf5f950aa011f3b183348f2e97917bc3214

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
b9610d5568ef786ff7300293f6688ffc

SHA1
a4af73edef29d3e4dd86df29a8135717d7f69950

SHA256
e97ee3cf1345e4cf76737b88b536fb4656a3e0c64b90581b49192f52ea07b875

SHA512
ed537ec3effad153bd53d9ce281d2cbefc94be303b8ed9740bbd502ea5206353c934100a7a4264c125c52616f089701ca65cc1be62d849e07f8eb4162162e2db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
05b407e829b24f66b502a9eb3ebfcab6

SHA1
c5efa1cc8b0d199d1e59aba38adf274abee6aee3

SHA256
fe113606025b71ff421312a3c44c457a968c16db08134909e9bc85fb080c955c

SHA512
068530d4ca05125a22528180d72a23326d2ff9a126eb48dcbb162f5aafb3573ccd3afc0f8b33cd0d0ce56a7674e083b91c1a77d0ae74cb11508d354e8007a696

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
889bb434527dbaacf95f4cebd2c58ce5

SHA1
cc9af225b7a011183b1efb1844de8f2a780b96a8

SHA256
2ee7b9f7fb1dec68d1e0de52843ce564306aff39af5453d1b6f920e034b3450f

SHA512
03d6c96e0ecdc778477a83dccb3105cb86a593130036833661559b1c42bb314e46b473103cd0cd94e8a94b844cf0d6a96f12a2927296b304d63fc387f51553ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
169ed674dca4d91f05c838a12005ab10

SHA1
ec3d2e6288b26fb528a1dfa17913c31205b47793

SHA256
b19fbd82a4708ee283fe793233c293e74da081a9d081363b1cc4f5f9eac4cad0

SHA512
2f2cecfc5c8ca01fd8a154bd1e0629e2b053bcfe2068545c6043571f6c81c540505dc55c17ae7a9f556feff410de0a071b3168344a0a3227a8d326314f9eb6c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
dd31247dd748f1302e9a1bbb7a346843

SHA1
6431d11914bbe9bd20fafd8ecb8869f9abce5e6f

SHA256
e5b30752c26a39fead447552eabef5643c2e1a83b4d6f242a68809d74337bcda

SHA512
2efdc8c64274b9a0ad954d8e6d37773939cdf4d6e08d5cc670feb13a0bdc5305fb91192b071ece977956a6fbade0586fa712e8cd098d3381eec734b09d9235a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
9e206487c1cb7fef9857e69ef5ed787a

SHA1
e0b303e9f876fdb2050a4faa05c32e15b80d3dce

SHA256
f46b97eb14aaaa9cfe13beaa467a2db9e06cc5b9d322ceaba941a2e448884135

SHA512
ea6911737c0e1edfb383e7da9d89e47becce8f7653e1fc4e8da61d2e91e95d9c2a72efe924649a16cdcaa59c69854f5b3611e5fffa5224cafe302c365345f72c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
896364a5176317bb69d50e6db60781d9

SHA1
86aea86f4c2274e7ed30a3f9866de5b00994bf2c

SHA256
d0adb020ae264ceabea1737b91f0a2ddee1ef8cff5834e8a41a939072aa9c9d4

SHA512
02974f9bdb2d94a3844bb76651b02ab9e95199e205f7d00258bfe93264f058b67d17eea95da8bbd6d03c991dc65e1cfac003115b8e791807911e0944335651fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
ac821ea53c1507f9d1c5ba900bda2bb0

SHA1
20180a35eb36abb179ccb205ecd4de974c7e2a91

SHA256
87dbcf25a4a3b902169a4d330e2abdd36f3c383035dc0113b5991970ca46380f

SHA512
661875f18d4ff6717828168cc8f47b203bee8aa4e1bebd401a69fb82b5c3234b27fe7365151fd36226eba42e1aad57e7322fda20192f52a1f86593f4dda6f9e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
d6ac04f9a88aa665fe2b453f5a4d1d93

SHA1
23028384769658165965011c52989864afb9194a

SHA256
ab46c0b2effb143ad119e6430fa52903a961d3b88ee27c69fcfb3b87876cefdd

SHA512
18b98e65b60c458b44586b394b4be3749a97a8a10caf1dbb21a6059393192cf73c80891a34ba56da3365c58343d84b18e913ec4bc9cf7d7bd66c631a224cc7ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
69f9ba3c4d4fa3e0c0a283ff4ed93f57

SHA1
66a710b365b28888f604c3418127f3fb8c0a5106

SHA256
dba640ef51affb760263138fc750fbcfd14ee5f1067b4d6dde7ad8d8a8492b96

SHA512
d6f6bc3daf4bc8b17a979a5c95c29b7be19e17dfb613a6797e127ec1bd184550de460dc929334cbb113efe9c6c7b23b7427660a25a16aa49d42c869c59c840d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4800_IFUXEQLILYYUOBJF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit