761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Size

1.4MB
MD5

1d6b17b32df42122cb903f11072c81d9
SHA1

1b2d6b56f2e2b867c0ae1263ee66e3369fee9905
SHA256

761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6
SHA512

8bf67bf14f8e9b687326681c9b5786aad175c337fc89ed80a7c5fa171134b8c76bc76a2c29eaa9b72723eb966fadcebccdf4c33ff4a35b07cc270f7a64f80aa1
SSDEEP

24576:sVYkTpy0OVnKhXJ04BJFKA3wRKB7a9WscrmCqeQrE/15h7tx8W:QpJOl8xFMRy/SeQgd5Jv8W

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 10 IoCs

Processes:

761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe

description	ioc	process
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4760 taskkill.exe

pid	process
4760	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133240344030987767"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

4992 chrome.exe
4992 chrome.exe
4292 chrome.exe
4292 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4992 chrome.exe
4992 chrome.exe
4992 chrome.exe
4992 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeAssignPrimaryTokenPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeLockMemoryPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeIncreaseQuotaPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeMachineAccountPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeTcbPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeSecurityPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeTakeOwnershipPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeLoadDriverPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeSystemProfilePrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeSystemtimePrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeProfSingleProcessPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeIncBasePriorityPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeCreatePagefilePrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeCreatePermanentPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeBackupPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeRestorePrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeShutdownPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeDebugPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeAuditPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeSystemEnvironmentPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeChangeNotifyPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeRemoteShutdownPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeUndockPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeSyncAgentPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeEnableDelegationPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeManageVolumePrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeImpersonatePrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeCreateGlobalPrivilege	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: 31	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: 32	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: 33	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: 34	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: 35	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe
Token: SeCreatePagefilePrivilege	4992	chrome.exe
Token: SeShutdownPrivilege	4992	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe
4992	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.execmd.exechrome.exe

description	pid	process	target process
PID 1532 wrote to memory of 5060	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe	cmd.exe
PID 1532 wrote to memory of 5060	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe	cmd.exe
PID 1532 wrote to memory of 5060	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe	cmd.exe
PID 5060 wrote to memory of 4760	5060	cmd.exe	taskkill.exe
PID 5060 wrote to memory of 4760	5060	cmd.exe	taskkill.exe
PID 5060 wrote to memory of 4760	5060	cmd.exe	taskkill.exe
PID 1532 wrote to memory of 4992	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe	chrome.exe
PID 1532 wrote to memory of 4992	1532	761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe	chrome.exe
PID 4992 wrote to memory of 396	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 396	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 3036	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 2156	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 2156	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 4032	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 4032	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 4032	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 4032	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 4032	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 4032	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 4032	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 4032	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 4032	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 4032	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 4032	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 4032	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 4032	4992	chrome.exe	chrome.exe
PID 4992 wrote to memory of 4032	4992	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe
"C:\Users\Admin\AppData\Local\Temp\761d16d366991ba437a398a5beabc5ca0514162b4bb614b6bfed882b489ed0f6.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe9b339758,0x7ffe9b339768,0x7ffe9b339778
3⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1812,i,14864723372673774105,17026323425395041618,131072 /prefetch:2
3⤵
PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,14864723372673774105,17026323425395041618,131072 /prefetch:8
3⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1812,i,14864723372673774105,17026323425395041618,131072 /prefetch:8
3⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3164 --field-trial-handle=1812,i,14864723372673774105,17026323425395041618,131072 /prefetch:1
3⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3300 --field-trial-handle=1812,i,14864723372673774105,17026323425395041618,131072 /prefetch:1
3⤵
PID:2216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3872 --field-trial-handle=1812,i,14864723372673774105,17026323425395041618,131072 /prefetch:1
3⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4936 --field-trial-handle=1812,i,14864723372673774105,17026323425395041618,131072 /prefetch:1
3⤵
PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5060 --field-trial-handle=1812,i,14864723372673774105,17026323425395041618,131072 /prefetch:8
3⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5084 --field-trial-handle=1812,i,14864723372673774105,17026323425395041618,131072 /prefetch:8
3⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5088 --field-trial-handle=1812,i,14864723372673774105,17026323425395041618,131072 /prefetch:8
3⤵
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 --field-trial-handle=1812,i,14864723372673774105,17026323425395041618,131072 /prefetch:8
3⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 --field-trial-handle=1812,i,14864723372673774105,17026323425395041618,131072 /prefetch:8
3⤵
PID:540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1812,i,14864723372673774105,17026323425395041618,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4292

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png
Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js
Filesize
20KB

MD5
9f284b7276e3aadc6af81d6b3d214529

SHA1
c0c8337b3b6e3979579b56fd913a33643ba059b1

SHA256
04c386df8095e431b0e3c382eac6e6ee164009318a25b4cfff329a399f1a2970

SHA512
a936f43b37320e411088b61a4da2a7ce874a4413d255c6c9844fc5c8a14f4b0b8093738b996e2246576f16caa116988d14762851698bba2cc9bc97546cc60eb0

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js
Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json
Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
11f4655c926244124f8914d4b69d246f

SHA1
352a6ca2796d30fb51c9977eda8e53366bece1e7

SHA256
07e09fd492c929c8d27266f66fa3b723fbb22d7f3ec6441b3b1976330ddca49d

SHA512
bffceeda1bab44135911707dd6e9c8a487a5a031218f92678765b4002a8b0a6453e16f0ca97a08bcbe0ba0333c2adfa3235910a538200362efae98607329abda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
f1b2716e6e02e5158ca88d4be6e0a673

SHA1
0f203525e74e17d49ce683c0a267098cdae69ff3

SHA256
a0f342de29dcc06ce7a365024608cbb800893a636247ea0bc65cc2d0a86b472c

SHA512
a29aa28bc838596917b5bef5b04b35c14b95fb34f4ae888cbb7a9ad9109f707dc49adfd79e8559089d4dadea09507597f087778206c7797eb84a5f08f47c6c62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
868B

MD5
2c6c6f602713e71a8cfaa6ce4c2abdaa

SHA1
3dbd03a5d48f83966b37c7ffd30a40db6c915d99

SHA256
ee42310bb6716f795a3c5c69bf41f3908108aff3e06d2156599a92daa4f45bbb

SHA512
a0a7ee1cca80f4d5f6e1fcc1749e238634a6b2688358c8de58ae3de6049e41960d9cae384a498a87915823b10679f7dd6ee45fc93784386c196e244b2d4e2b31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
868B

MD5
70c95cf9fe05c4bbaa3e59ba122fd080

SHA1
00c05ffe61e54a7507346cc7e40478d1be998e13

SHA256
b0a3df750c18b76c46556f81e5ad94d687b8fedf030e8ecadb63fd0298e60855

SHA512
ba42b7c36c5fdff82a9885e7bb18aabdcc242bcea1bc4517b722d3aec10f84e391dfcab920aaf682ce958d7ee95bce764241f84776b4082db75af71a88372946

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
f66fc839e532a42eb34794932e5dd70e

SHA1
52fc2fb7b5c55219a4de7598b7220b27c0d875c7

SHA256
7b2ccf73ee39e8395ced48877b3ebc2b331066ebf17cdc9036f8ac027aa14c49

SHA512
ee4929c22968e04c612573a747abc35effcae1eb9499efd23ca1ef07b2defe24586b19111e4d00171585b3e1a2e6cd7a667a941f29f430fd2d27bf3aee2496ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
2933d1a3cca17ce4fc1ea8214a48c7b0

SHA1
0db7de4917e0127341ac3eb8371908db7264f387

SHA256
adebacbc25eaf24fe1422fa6ad0e0b9f198111d62df069b39d84c437cb4d45ea

SHA512
86f0eab3f1205c6f38e74066b841aab49049eae92e92acaff476192708df8a7e88146014b8d8128e276800613d5dda7a01ea6ba7ef47601ddd39b728818df249

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b55128de7f47ed5697c370fde93d836b

SHA1
3975fee5d4d748e1e5a2798cbe4e963deb103014

SHA256
77255486cf902c1a32af3c29a4ab43411ec49af41957cff7adfa5e33ade73b65

SHA512
0f940719efad367afb6cd2dfdda1715e9b115486101ae080cd24f60a88f64f668e0f40144cc9b7f49080ae80816c340eee5b0c23fbfa805cb882a2db6e5833d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
6065f2f2841e056b648742b96f23533c

SHA1
ff00abfc1427177624cc4bf0ada3e0d082f02141

SHA256
32aba359f1b91e23a972b738c9d8132d001743afc653bda5a0adeab1648ab78a

SHA512
87a5d64fdca9cbacb8fdc031db31ac4825e6df7951bdf1652516379404f3aa13ff94578e8887623fd00c358a3c58c81dd0d6d85699482599f7599e05e21fbd76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
4fd30d3af642e0c93c1785bb249a38c3

SHA1
5e118751b24801435414d031896ae25afab04802

SHA256
1090e8f10c53445a8e4b85dd5ddb2ef9bbba13aabf1eb9b44c62be6da5c3b353

SHA512
fd224b887e0554c411b4471491a4446d0eb2cdcc41438933afee7cafbd002a20beb817892da97426b866dec79067d4d7e05eaf225783fe2a9bd1bcd26a5e13ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
145KB

MD5
b78bd18f9ceb84e355639a455b0bf342

SHA1
dc85183466d35ae61851fdd15962d6b6491b116f

SHA256
98e7224509b18579b1acab1c9548a4e4476d9d29f6b1a563973b8a2fab04b9db

SHA512
f5771793df2186d2f58249b2d8446ecde29c1dbff76c2173da85f637da5fdbe3eded46a29b48ff23b8e4774189e44d73c03457ca8af6ed2d51a3e6cf6890e85f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4992_WAMYTTQOFJCWZWFA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit