5412e65118ff39d6957b2d0243e528a698a864c5b897fce8a24f8db484238913

Analysis

max time kernel
155s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2023 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Size

1.4MB
MD5

802e1974c79084d3b80ce713a54929aa
SHA1

c65a48fe08d3747202ab2a2bc6821a3f6dd95f76
SHA256

6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8
SHA512

e738c94641b115014abc798142c6a25a70183b266730e7ca76628fd1c3d1654d54e8d1b3869f0b71eae9547c2e983f222cc1507c3acf678fedd26a2dfd6bd92f
SSDEEP

24576:UGU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRTg5hoS6S:fpEUIvU0N9jkpjweXt7785GjS

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

Processes:

6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe

description	ioc	process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3164 taskkill.exe

pid	process
3164	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133238835887149707"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3372 chrome.exe
3372 chrome.exe
4196 chrome.exe
4196 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3372 chrome.exe
3372 chrome.exe
3372 chrome.exe
3372 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeAssignPrimaryTokenPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeLockMemoryPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeIncreaseQuotaPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeMachineAccountPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeTcbPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeSecurityPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeTakeOwnershipPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeLoadDriverPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeSystemProfilePrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeSystemtimePrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeProfSingleProcessPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeIncBasePriorityPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeCreatePagefilePrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeCreatePermanentPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeBackupPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeRestorePrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeShutdownPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeDebugPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeAuditPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeSystemEnvironmentPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeChangeNotifyPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeRemoteShutdownPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeUndockPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeSyncAgentPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeEnableDelegationPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeManageVolumePrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeImpersonatePrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeCreateGlobalPrivilege	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: 31	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: 32	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: 33	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: 34	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: 35	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.execmd.exechrome.exe

description	pid	process	target process
PID 2180 wrote to memory of 100	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe	cmd.exe
PID 2180 wrote to memory of 100	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe	cmd.exe
PID 2180 wrote to memory of 100	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe	cmd.exe
PID 100 wrote to memory of 3164	100	cmd.exe	taskkill.exe
PID 100 wrote to memory of 3164	100	cmd.exe	taskkill.exe
PID 100 wrote to memory of 3164	100	cmd.exe	taskkill.exe
PID 2180 wrote to memory of 3372	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe	chrome.exe
PID 2180 wrote to memory of 3372	2180	6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe	chrome.exe
PID 3372 wrote to memory of 4640	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 4640	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1496	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 3800	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 3800	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1064	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1064	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1064	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1064	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1064	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1064	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1064	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1064	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1064	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1064	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1064	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1064	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1064	3372	chrome.exe	chrome.exe
PID 3372 wrote to memory of 1064	3372	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe
"C:\Users\Admin\AppData\Local\Temp\6eb28920cd3e8d50c66e39e7aa042b22dd05d17c2a62817113d76e5df2732fd8.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc1ef09758,0x7ffc1ef09768,0x7ffc1ef09778
3⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1912,i,11377760401654159507,900883440676927149,131072 /prefetch:2
3⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1912,i,11377760401654159507,900883440676927149,131072 /prefetch:8
3⤵
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1912,i,11377760401654159507,900883440676927149,131072 /prefetch:8
3⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3160 --field-trial-handle=1912,i,11377760401654159507,900883440676927149,131072 /prefetch:1
3⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1912,i,11377760401654159507,900883440676927149,131072 /prefetch:1
3⤵
PID:368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3744 --field-trial-handle=1912,i,11377760401654159507,900883440676927149,131072 /prefetch:1
3⤵
PID:3248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5488 --field-trial-handle=1912,i,11377760401654159507,900883440676927149,131072 /prefetch:1
3⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4948 --field-trial-handle=1912,i,11377760401654159507,900883440676927149,131072 /prefetch:8
3⤵
PID:4024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5888 --field-trial-handle=1912,i,11377760401654159507,900883440676927149,131072 /prefetch:8
3⤵
PID:2780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 --field-trial-handle=1912,i,11377760401654159507,900883440676927149,131072 /prefetch:8
3⤵
PID:3352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 --field-trial-handle=1912,i,11377760401654159507,900883440676927149,131072 /prefetch:8
3⤵
PID:3748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5608 --field-trial-handle=1912,i,11377760401654159507,900883440676927149,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4196

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png
Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js
Filesize
20KB

MD5
16fc9d9db5f8ecfb7f1d77a18126eb2f

SHA1
6f71ac6c1a531b4e330ea749cb66d30c60213cc6

SHA256
ac0c314234eec4ac7a3d3fc45ecf88686ed32f4d9012c1afc4522dbbff0a5ee9

SHA512
ca42cbf174b89c9c1711adbdc7cc478698675a9a82911f700394831420b116c9a205a0c84185f8b606d182e6aff2efa3b9c18cb5afe16b9e0f1488ab45bf43dd

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js
Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json
Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
9be3c73a973875d4677b70ca934e7763

SHA1
b51e22f477d20b53329a9fe73721f0851463f38a

SHA256
c4f1f0468b020d5724b0c8aefa0f136185b2d29b0cef9aca4ad6ea356182ca7b

SHA512
2ac841709404e937b26a07ae84e58f2f72ae31c3fc26a8ba07f827cdc126cd09bd399562b7e8edc4796d15bb3aeeb914492343b04f82319a6c48288c71c18f8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
1e3c956ecd90f28706640c0ba0d28d9f

SHA1
a7e0307a564db42b4f16189fb7331787218dff15

SHA256
a77ead18742b91e89879fc1fc65829a79f685969ff8f061e10c5f7b98037c169

SHA512
891fe71c71e33970407db4df67bbe9af13e735f9ffdf3f3d61dd171ec7e24d1d59664fea222be3d80e9ac11efe128b766e4b17e8e3e30129bac404881812e449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
9bcc1e0d258be9d208748f7578b64f32

SHA1
575ef549ecb38e2b03c4a5b765ed6de62f5098d7

SHA256
10d9db412717a40b281381bc6000d0651b014ac53ebe333b169eb9ea3568018a

SHA512
64532c6d1f2898c87837798e389e54720e8e68b318afc79d688869a92a8abc1b7903d8ea866c9d99cbbb45504e082677e2ee872e50d5ae4793c5f60a6ec0a54d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
363019002d2d07843fa0d9c4b1230e2e

SHA1
61bb5084a6af8167b149a890f01652ac4c1c72bd

SHA256
7483bf134feae00d0993961d18cf5fe3fb39cf4a6f94976e60bfa50a7e5ce01f

SHA512
ed392ea8f33d313d93ab1c65645eea449f26d2e076086331657199e06b08280c560240f7e8271dca4ef0ee0cce3c7bdb53ebab16e09117481b59a0117ea900aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
52a4738449223f25a0d79d9b494d7a18

SHA1
14c44eef0da6a82fabb9d85fe181b10a68208f85

SHA256
4ed3fd680e1284c7c5356bb1226dddcb4bc1b0cb30c3769faf79da556a2bc03e

SHA512
e90a874c4ada07247dee827cb7255a40759e273af50e0c85847fa0a3e879620c52248d63c6a72cca71680ada8296d1494dae8abff29c01fb7d1fcd69c9eafdbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
538B

MD5
af2a74d5acf55175decc914b7daf3f6a

SHA1
22cec31adb5b8480fc21ff1569fb8e07ae7e0263

SHA256
30f897e92f60271f8abbb732d5a7f3878b2ac1d3bb0ebc40482e0dc80da1bf97

SHA512
2da74bad715c9211d18e4367baca22bae0606509239d058474572f9743e3d90f5c2cff12ce8e87f8f7d33dfcd7dc76086f799044f5d602af2c8fe7a6c5064e16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
9cd1ef1ea1e669fca810b0abe6a6ab64

SHA1
5bf92f514d20db7a2ecae5d25acb8c8ae3f1ae15

SHA256
60cab25d94413ba83c3c85c56a3ef127e517286bf8e5a20e3237e04a8d25d9cd

SHA512
a0966c82c71e9ff037b34f71b86792ab3b82617b4ca3474cf7468194cca557760077c9d7bab772b57d2278621986f3e2cd0c1620ef441bc60c286e1cb171e408

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
f95885c06bae16cc5415e67d9de5ee80

SHA1
1801902a0bb8c136112db80d5146f45d5578cc40

SHA256
ef874a0438d2de150a62a979d91e38b960793f162253b49b327229e482f1831c

SHA512
f1c3ac45eaa2379820cd62e4974bfcd9e4199e8e4f161d9f268cecac5383b3386bfdd86e79077c64f295bd5362b7f5a8395101c8667a1cad22a761acf94b49ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
dba573ae1e37fcc8e9e0f01458cac564

SHA1
a8e46f74c18919772d3c17851434c2d6710e3317

SHA256
055137009ff424b1836e993cc5c738e273736e6d2a50c71905953b5b0619df2a

SHA512
a7fffb2cc4a71ffe945576b27811a628e64daa4250629a43343a046da197ff3a28a0e9ca7a54ecc885f2eda4bffe6fcb30300875bc4fde60c29b27c72a8d1af5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
fb6a166524efcd56df284eaa27dc7446

SHA1
311a344580af7c11a81aefdf8d83403f0cc156cf

SHA256
f7233419f425c386be3fe7aa52faca4206410eba7de844efdcb21c4cfba0e5d3

SHA512
6f1ed3f485a850284f6e1c86d1540382161985874049331bba36fba9162c4c06a65b1940f3f452a0ac925324c32adeb024ccd14e0f50ef76cc05bd48a91b6a6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
00f22ec1e97e8c1225dcbd8903495874

SHA1
e9a4d07167a27fea34fc05ad631a92f5916a3133

SHA256
0095f1e4e220aa828e63b6efa32280962425df70d26ddc70ed1ddab56ca42f2f

SHA512
a2d15da5ea20e046b7377a900d510767a9238390ffe8713d275601e4afbeaa41a9bb163644d05c823407b06ac17294a836e2af43b3d587c759724fe18d2ca472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
11KB

MD5
2bd089522b71dd2e6569cf4dbd69b222

SHA1
a2b4409d48376f611aa238341e60f4a19f9625f6

SHA256
147f6798ad4cbc68c2404f343db9a3cd4140c3a503233d9c5bf92be4500c6009

SHA512
359037169c91a500df98a13aae3194d1685ba503e6d9545d7473574cb38265821bb364f45b7138c1b81e087e73c8aca8b17837e6510a575571eb78735845152c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\bc9545c9-0437-4696-ace8-85c862ffaae3.tmp
Filesize
11KB

MD5
50946888df1f28e14cbd7501be8b3640

SHA1
20f08ff5e25de15c6b2c859b58086f5094bbd471

SHA256
a164bb0407892cfaf0c338fdc6b0444ecaecf26c62a6ae0550bf7ecf5c1b5547

SHA512
893c1dd7b8b5f4f2fcbdfcb1030dc5c162cdb326aad6186cb35bb602eaac7697052c13ddba9c1a5cf6f61146cc58945b6515d933f6a109254f81509d27af1201

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
eb84df43f3473fedae7611078df4fc28

SHA1
df3c339314699e7624cdd2bc145e7849026f997a

SHA256
8c11cfa0230016b41f9cc031080890c396e37daabe5f0227854933b76c026f3a

SHA512
640fbc1bdc8c93d251d1f2f3ae62d2a75648a8bb07edd5ad5b9136db3f6295ccebb50c98cd242302d2c1b5732d750d248903268839188e468263e2026cdbfe94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_3372_EGDKHWBDUAXIINCO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit