d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
22-03-2023 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Size

1.4MB
MD5

54f8a4c3864f17466705a15a2ef2a06f
SHA1

db53ec7eaf2928f8b627f36766ccf7c293bf910f
SHA256

d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b
SHA512

7bb0bc0aa4f22de48284f401a382ed937407324bf25bc30337ca89d342cba0394fedb8e9ead1c8d3c05db6232c6c7bfa484261f633aa1a29940deaef04bcd78a
SSDEEP

24576:AGU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRbr5hMS6S:bpEUIvU0N9jkpjweXt77X5yjS

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 10 IoCs

Processes:

d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe

description	ioc	process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5000 taskkill.exe

pid	process
5000	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133239347370496490"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4624 chrome.exe
4624 chrome.exe
2056 chrome.exe
2056 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4624 chrome.exe
4624 chrome.exe
4624 chrome.exe
4624 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeAssignPrimaryTokenPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeLockMemoryPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeIncreaseQuotaPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeMachineAccountPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeTcbPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeSecurityPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeTakeOwnershipPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeLoadDriverPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeSystemProfilePrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeSystemtimePrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeProfSingleProcessPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeIncBasePriorityPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeCreatePagefilePrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeCreatePermanentPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeBackupPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeRestorePrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeShutdownPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeDebugPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeAuditPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeSystemEnvironmentPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeChangeNotifyPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeRemoteShutdownPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeUndockPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeSyncAgentPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeEnableDelegationPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeManageVolumePrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeImpersonatePrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeCreateGlobalPrivilege	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: 31	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: 32	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: 33	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: 34	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: 35	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.execmd.exechrome.exe

description	pid	process	target process
PID 2076 wrote to memory of 2636	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe	cmd.exe
PID 2076 wrote to memory of 2636	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe	cmd.exe
PID 2076 wrote to memory of 2636	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe	cmd.exe
PID 2636 wrote to memory of 5000	2636	cmd.exe	taskkill.exe
PID 2636 wrote to memory of 5000	2636	cmd.exe	taskkill.exe
PID 2636 wrote to memory of 5000	2636	cmd.exe	taskkill.exe
PID 2076 wrote to memory of 4624	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe	chrome.exe
PID 2076 wrote to memory of 4624	2076	d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe	chrome.exe
PID 4624 wrote to memory of 3092	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3092	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3588	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3088	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 3088	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 4732	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 4732	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 4732	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 4732	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 4732	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 4732	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 4732	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 4732	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 4732	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 4732	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 4732	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 4732	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 4732	4624	chrome.exe	chrome.exe
PID 4624 wrote to memory of 4732	4624	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe
"C:\Users\Admin\AppData\Local\Temp\d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffaa44d9758,0x7ffaa44d9768,0x7ffaa44d9778
3⤵
PID:3092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1680,i,3373540574383323418,9449499388987801397,131072 /prefetch:2
3⤵
PID:3588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1680,i,3373540574383323418,9449499388987801397,131072 /prefetch:8
3⤵
PID:3088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1680,i,3373540574383323418,9449499388987801397,131072 /prefetch:8
3⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3104 --field-trial-handle=1680,i,3373540574383323418,9449499388987801397,131072 /prefetch:1
3⤵
PID:4872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3068 --field-trial-handle=1680,i,3373540574383323418,9449499388987801397,131072 /prefetch:1
3⤵
PID:2672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3580 --field-trial-handle=1680,i,3373540574383323418,9449499388987801397,131072 /prefetch:1
3⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4788 --field-trial-handle=1680,i,3373540574383323418,9449499388987801397,131072 /prefetch:1
3⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5020 --field-trial-handle=1680,i,3373540574383323418,9449499388987801397,131072 /prefetch:8
3⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5352 --field-trial-handle=1680,i,3373540574383323418,9449499388987801397,131072 /prefetch:8
3⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1680,i,3373540574383323418,9449499388987801397,131072 /prefetch:8
3⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1680,i,3373540574383323418,9449499388987801397,131072 /prefetch:8
3⤵
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 --field-trial-handle=1680,i,3373540574383323418,9449499388987801397,131072 /prefetch:8
3⤵
PID:3960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1680,i,3373540574383323418,9449499388987801397,131072 /prefetch:8
3⤵
PID:1596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4596 --field-trial-handle=1680,i,3373540574383323418,9449499388987801397,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2056

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png
Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js
Filesize
20KB

MD5
bda6c9e55455ca4f87a7ac92d1ffec31

SHA1
3a83d9458514bd9d3b4ae6e8ef5f906876b54bce

SHA256
a6644ffe17fc2fc2d789c60b9b79f83b628a7e0f52ef2f805ba4ee4a0eada324

SHA512
a7c574390e5b3b6654d7fee6aaceb0160480e4523d9391179c421de395a3b0d0eca0ac8e1bdc7bec869612107f752d344a736933813557c45bedc81be378a183

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js
Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json
Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\39d1582f-1129-45b0-837a-1b2a1c547d5b.tmp
Filesize
868B

MD5
9a7cc5f2ac801d1ce4ff03998783b609

SHA1
70eaeac3d304cd2986cbc63f1e0828805f207e59

SHA256
efc10f168bbe68c2d34977e3a96348c2315963df55de366711a866ccc99f1ead

SHA512
a076a57e549ec1e9a7239d967ffe7ddedbe2f123f8ebabba52c4188757dd33c93d3621b0f6f51aba5f96ab8ada211ccec452b0f766aef26c4cbae3a42c87ad7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
98071860694cbdda070f878b986766c5

SHA1
2de60a01d42f3ddaa3fa3464fb37e32196f9adcf

SHA256
55ea72cc7f66b1d33514e0d0c9662ce7330d4a618ecd500118e011b1b3aaf44a

SHA512
03de4070dc14e68849088c1d267ce61d7f0bc9e3a0285f7bdbe693dd504fd4ce06242423258b4e4b7b73f8a67323719c0b26c24c74c6b81a05f2e46a60eff51b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
a862ffaa8ae7bfbce02dbdb2a6b5c6c4

SHA1
a5cd79d0f87ce75f6c0545704ab2c5c07382aa32

SHA256
2f8ff85122fd2cc1554968d9720a21406837e5c06041ba484b209dd64c1de377

SHA512
04ecd001e84aaab8f8919530d1f06520bc0ec4caa7e3f0b9c78fb6d8426e3f6c56421ebff515cbefff4232d652b84c701dbde7f4939924a77c441f56feafa9d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
9557f41ee7a6976fb9b843d9f8c26b09

SHA1
2ef056c81d982ae6f409fd4637fed01ad9e0ab67

SHA256
9bb8ec50ff9e50b1e34b84be83236873a08d438bb78ac40ceed335a969b8f09a

SHA512
316577e401f674b3b96732215fbd03818910a97b260d68729f434a5757ae4126832cbd224017fac44de422130dcbd9ac95be6dab3621ddf615975dda66489fb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
9c9228e3055952a9e772f22f65a92172

SHA1
77a781dd782f73b7011a394019600edd5d361e6b

SHA256
942284287c74844c89ff4fb3fdd06db987eea6e486a4b8d7f095deb08b02a473

SHA512
3bf6a643b0c1b12b668700899861934e848d9a4729b71ecbe0f876823a0e7c6bbfb849a9709eb38cc2267c14edfbc7516289ec672f512d325ac7b12a92227b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
d68658e9d4f52d3d64ec99c0e912165c

SHA1
56388cb089cfc2da46647356415fd2c95e8dd745

SHA256
21b19824cd329a98338dd4236e128a18e3df52eb24bf18ef898a358ebcc02064

SHA512
48f8444dc75e00901b1502c0e6ec0001bf177d1da8fce2105dc1c20921d948977003161cbbaefdd8b1e6c3fdca88b6e57e127c09619651c8337fdb6fcf9b0ba0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
b3ac33aea29bbdbfe8736049a50d207f

SHA1
80a252583bc37465f2f38fab77411dd01b5bc294

SHA256
5cdf243b4d98b0c3b5138b895c6c967b4d1c68616abca13aea7031ae61cc7379

SHA512
37d954284e6d9ad8a36d78158d40332d4f16d3fe43734baba1476bd24f538c03e8a33ca5261c56c380d9b61a06ab3419864c59fa61d7478111525572671667e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
22e0456b12565d4f244c5a0fa711c303

SHA1
0a594f9e0c21b3d188057a5396a61492dd04d8d4

SHA256
061965a0f34a70edc871466b84cd266778b19795b522eee705693c028c358e63

SHA512
466752fcfae1c8d7156b87b5cac535fba415b19160cf763d02a76219ab94e53332db7ec6f95f0e83c4026b7c769bea6a06707945289537605094a222c4239d86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
11KB

MD5
e18a9cdc9c0ce0ff4717287678ae863f

SHA1
7fdc7eda1db64560c5a72e4c1f8ef8280d96aa42

SHA256
6791fb3bad0f67a943555c766a126296acc425cebd99fa563d0e938ae5639e7b

SHA512
1c0e068a5b6e5d1441d2acca2e32adac13fca96ad7af16d9f6b3268f9bceb8554a4d62351398d9de17b3ecae861e4219a9625329d6021ba75218fdcc08591088

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a10e234d-2a2e-45d0-8cdd-5d2d49d56539.tmp
Filesize
11KB

MD5
56122b1c9366057badda7af8c0baf595

SHA1
61267082e3bae30defc1b5050bafb87ead851431

SHA256
8842f4fa1920321a422dd26468b9ef5f76df14a05c4dd8d2cc6b336b70605942

SHA512
8773c268f945f097483ff2eef8ed7401ae34cdb7e74f01eadb2f5e475f4f58b723d978914822d92bdd24636315299c33ec04d05412082f8a89ca1b4e33197da8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
144KB

MD5
e4a388ee54d19993250f17286a3cf032

SHA1
f3e5e451c8b2b8cd66b23b03be73ac33e332c08d

SHA256
57cd869b0decf80652ccc73bb51026e2a62afaa2b5588ec77e7906d42dde800a

SHA512
78ea0ae410fc40d1c9dbf873bf9b2b524d51917688a1000655bc2eb44a5346f8a2fed864546a2614bf689c22cb35156c6a50d89446c70eb7d1f4c3d48d44c765

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit