hxxp://gofounder[.]net

System Information Discovery

Processes:

nitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	nitebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	nitebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	nitebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	nitebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	nitebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	nitebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	nitebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	nitebrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	nitebrowser.exe

Executes dropped EXE 16 IoCs

Processes:

Click.Here.to.Install.Nitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exe

pid	process
2028	Click.Here.to.Install.Nitebrowser.exe
4872	nitebrowser.exe
4288	nitebrowser.exe
4844	nitebrowser.exe
1388	nitebrowser.exe
440	nitebrowser.exe
1784	nitebrowser.exe
1564	nitebrowser.exe
4036	nitebrowser.exe
4336	nitebrowser.exe
2252	nitebrowser.exe
3460	nitebrowser.exe
4884	nitebrowser.exe
4912	nitebrowser.exe
4948	nitebrowser.exe
4728	nitebrowser.exe

Loads dropped DLL 27 IoCs

Processes:

pid	process
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
4872	nitebrowser.exe
4844	nitebrowser.exe
4288	nitebrowser.exe
1388	nitebrowser.exe
440	nitebrowser.exe
1784	nitebrowser.exe
4288	nitebrowser.exe
4288	nitebrowser.exe
4288	nitebrowser.exe
1564	nitebrowser.exe
4036	nitebrowser.exe
4336	nitebrowser.exe
2252	nitebrowser.exe
4884	nitebrowser.exe
4912	nitebrowser.exe
4948	nitebrowser.exe
4728	nitebrowser.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

reg.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nitebrowser = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\nitebrowser\\nitebrowser.exe\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 14 IoCs

Processes:

svchost.exemmc.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File opened for modification	C:\Windows\system32\gpedit.msc	mmc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\System32\GroupPolicy	mmc.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	mmc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Program Files\SaveAdd.jfif svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files\SaveAdd.jfif	svchost.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Collects information from the system 1 TTPs 4 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exeWMIC.exeWMIC.exeWMIC.exe

pid process

2616 WMIC.exe
2408 WMIC.exe
2008 WMIC.exe
2564 WMIC.exe

pid	process
2616	WMIC.exe
2408	WMIC.exe
2008	WMIC.exe
2564	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5495FB51-D018-11ED-B7D7-72EDBB006969} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133247771390955875"	chrome.exe

Modifies registry class 32 IoCs

Processes:

Click.Here.to.Install.Nitebrowser.exemspaint.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Document\shell\ = "open"	Click.Here.to.Install.Nitebrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Document\shell\open\command	Click.Here.to.Install.Nitebrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\nitebrowser\shell	Click.Here.to.Install.Nitebrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.html	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\nitebrowser\Application\ApplicationIcon = "C:\\Users\\Admin\\AppData\\Local\\Programs\\nitebrowser\\nitebrowser.exe,0"	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\nitebrowser\Application\ApplicationDescription = "A privacy-focused, extensible and beautiful web browser"	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Document\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\nitebrowser\\nitebrowser.exe,0"	Click.Here.to.Install.Nitebrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.htm\OpenWithProgIds	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.html\OpenWithProgids\nitebrowser	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\nitebrowser\DefaultIcon\DefaultIcon = "C:\\Users\\Admin\\AppData\\Local\\Programs\\nitebrowser\\nitebrowser.exe,0"	Click.Here.to.Install.Nitebrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.html\OpenWithProgIds	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.htm\OpenWithProgids\nitebrowser	Click.Here.to.Install.Nitebrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Document\shell\open	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Document\shell\open\ = "Open with nitebrowser"	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\nitebrowser\Application\AppUserModelId = "nitebrowser"	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\nitebrowser\Application\ApplicationCompany = "nitebrowser"	Click.Here.to.Install.Nitebrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\nitebrowser\shell\open\command	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.html\Document_backup	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\nitebrowser\Application\ApplicationName = "nitebrowser"	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\nitebrowser\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\nitebrowser\\nitebrowser.exe\" \"%1\""	Click.Here.to.Install.Nitebrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Document	Click.Here.to.Install.Nitebrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Document\shell	Click.Here.to.Install.Nitebrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Document\DefaultIcon	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Document\ = "nitebrowser"	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Document\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\nitebrowser\\nitebrowser.exe \"%1\""	Click.Here.to.Install.Nitebrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\nitebrowser	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\nitebrowser\ = "nitebrowser HTML Document"	Click.Here.to.Install.Nitebrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\nitebrowser\Application	Click.Here.to.Install.Nitebrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\nitebrowser\DefaultIcon	Click.Here.to.Install.Nitebrowser.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\nitebrowser\shell\open	Click.Here.to.Install.Nitebrowser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\.html\ = "Document"	Click.Here.to.Install.Nitebrowser.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exe

pid process

912 reg.exe
1676 reg.exe
4640 reg.exe

pid	process
912	reg.exe
1676	reg.exe
4640	reg.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

nitebrowser.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	nitebrowser.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	nitebrowser.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	nitebrowser.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeClick.Here.to.Install.Nitebrowser.exetaskmgr.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exenitebrowser.exechrome.exemspaint.exenitebrowser.exe

pid	process
3316	chrome.exe
3316	chrome.exe
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
2028	Click.Here.to.Install.Nitebrowser.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
1388	nitebrowser.exe
1388	nitebrowser.exe
4844	nitebrowser.exe
4844	nitebrowser.exe
1784	nitebrowser.exe
1784	nitebrowser.exe
440	nitebrowser.exe
440	nitebrowser.exe
1564	nitebrowser.exe
1564	nitebrowser.exe
3264	chrome.exe
3264	chrome.exe
2768	mspaint.exe
2768	mspaint.exe
4036	nitebrowser.exe
4036	nitebrowser.exe
4036	nitebrowser.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mmc.exe

pid process

4924 mmc.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3316 chrome.exe
3316 chrome.exe
3316 chrome.exe

pid	process
4924	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exetaskmgr.exe

description	pid	process
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeDebugPrivilege	3592	taskmgr.exe
Token: SeSystemProfilePrivilege	3592	taskmgr.exe
Token: SeCreateGlobalPrivilege	3592	taskmgr.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe
Token: SeCreatePagefilePrivilege	3316	chrome.exe
Token: SeShutdownPrivilege	3316	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3316	chrome.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe
3592	taskmgr.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

mspaint.exeOpenWith.exemmc.exeiexplore.exeIEXPLORE.EXE

pid	process
2768	mspaint.exe
1780	OpenWith.exe
4924	mmc.exe
4924	mmc.exe
4924	mmc.exe
4924	mmc.exe
4924	mmc.exe
4924	mmc.exe
1328	iexplore.exe
1328	iexplore.exe
4080	IEXPLORE.EXE
4080	IEXPLORE.EXE
4080	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3316 wrote to memory of 4420	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 4420	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 1232	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3360	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3360	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe
PID 3316 wrote to memory of 3468	3316	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://gofounder.net
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb0c6b9758,0x7ffb0c6b9768,0x7ffb0c6b9778
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:2
2⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:8
2⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:8
2⤵
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:1
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:1
2⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4524 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:1
2⤵
PID:748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:8
2⤵
PID:4020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:8
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:8
2⤵
PID:3716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3996 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:8
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5456 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:8
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:8
2⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5512 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:8
2⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5576 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:8
2⤵
PID:3304

C:\Users\Admin\Downloads\Click.Here.to.Install.Nitebrowser.exe
"C:\Users\Admin\Downloads\Click.Here.to.Install.Nitebrowser.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3764 --field-trial-handle=1816,i,7594450416548737353,17797675411027832764,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3264

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1760

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3592

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4872

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v nitebrowser
2⤵
- Modifies registry key
PID:4640

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe" --type=gpu-process --field-trial-handle=1692,2681166424714583105,12788556612048015349,131072 --enable-features=CSSColorSchemeUARendering,ImpulseScrollAnimations,ParallelDownloading,WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1700 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4288

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1692,2681166424714583105,12788556612048015349,131072 --enable-features=CSSColorSchemeUARendering,ImpulseScrollAnimations,ParallelDownloading,WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --standard-schemes=nitebrowser --secure-schemes=nitebrowser --bypasscsp-schemes=nitebrowser --cors-schemes --fetch-schemes=nitebrowser --service-worker-schemes=nitebrowser --streaming-schemes --mojo-platform-channel-handle=1920 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:4844

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe" --type=renderer --field-trial-handle=1692,2681166424714583105,12788556612048015349,131072 --enable-features=CSSColorSchemeUARendering,ImpulseScrollAnimations,ParallelDownloading,WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --standard-schemes=nitebrowser --secure-schemes=nitebrowser --bypasscsp-schemes=nitebrowser --cors-schemes --fetch-schemes=nitebrowser --service-worker-schemes=nitebrowser --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\nitebrowser\resources\app.asar" --node-integration --webview-tag --no-sandbox --no-zygote --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2172 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1388

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe" --type=renderer --field-trial-handle=1692,2681166424714583105,12788556612048015349,131072 --enable-features=CSSColorSchemeUARendering,ImpulseScrollAnimations,ParallelDownloading,WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --standard-schemes=nitebrowser --secure-schemes=nitebrowser --bypasscsp-schemes=nitebrowser --cors-schemes --fetch-schemes=nitebrowser --service-worker-schemes=nitebrowser --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\nitebrowser\resources\app.asar" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1784

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe" --type=renderer --field-trial-handle=1692,2681166424714583105,12788556612048015349,131072 --enable-features=CSSColorSchemeUARendering,ImpulseScrollAnimations,ParallelDownloading,WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --standard-schemes=nitebrowser --secure-schemes=nitebrowser --bypasscsp-schemes=nitebrowser --cors-schemes --fetch-schemes=nitebrowser --service-worker-schemes=nitebrowser --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\nitebrowser\resources\app.asar" --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:440

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe" --type=renderer --field-trial-handle=1692,2681166424714583105,12788556612048015349,131072 --enable-features=CSSColorSchemeUARendering,ImpulseScrollAnimations,ParallelDownloading,WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --standard-schemes=nitebrowser --secure-schemes=nitebrowser --bypasscsp-schemes=nitebrowser --cors-schemes --fetch-schemes=nitebrowser --service-worker-schemes=nitebrowser --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\nitebrowser\resources\app.asar" --enable-plugins --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#ffffff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2556 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1564

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v nitebrowser /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe\"" /f
2⤵
- Adds Run key to start application
- Modifies registry key
PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
2⤵
PID:4128

C:\Windows\System32\reg.exe
C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
3⤵
PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
2⤵
PID:4220

C:\Windows\System32\reg.exe
C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
3⤵
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get Caption,FreeSpace,Size,VolumeSerialNumber,Description /format:list"
2⤵
PID:972

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get Caption,FreeSpace,Size,VolumeSerialNumber,Description /format:list
3⤵
- Collects information from the system
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
2⤵
PID:2320

C:\Windows\system32\chcp.com
chcp
3⤵
PID:5060

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe" --type=gpu-process --field-trial-handle=1692,2681166424714583105,12788556612048015349,131072 --enable-features=CSSColorSchemeUARendering,ImpulseScrollAnimations,ParallelDownloading,WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=3268 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
2⤵
PID:4836

C:\Windows\System32\reg.exe
C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
3⤵
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
2⤵
PID:4468

C:\Windows\System32\reg.exe
C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
3⤵
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get Caption,FreeSpace,Size,VolumeSerialNumber,Description /format:list"
2⤵
PID:4684

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get Caption,FreeSpace,Size,VolumeSerialNumber,Description /format:list
3⤵
- Collects information from the system
PID:2408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
2⤵
PID:1504

C:\Windows\system32\chcp.com
chcp
3⤵
PID:1652

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe" --type=renderer --field-trial-handle=1692,2681166424714583105,12788556612048015349,131072 --enable-features=CSSColorSchemeUARendering,ImpulseScrollAnimations,ParallelDownloading,WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --standard-schemes=nitebrowser --secure-schemes=nitebrowser --bypasscsp-schemes=nitebrowser --cors-schemes --fetch-schemes=nitebrowser --service-worker-schemes=nitebrowser --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\nitebrowser\resources\app.asar" --enable-plugins --node-integration --no-sandbox --no-zygote --enable-remote-module --background-color=#ffffff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:2252

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe" --type=renderer --field-trial-handle=1692,2681166424714583105,12788556612048015349,131072 --enable-features=CSSColorSchemeUARendering,ImpulseScrollAnimations,ParallelDownloading,WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --standard-schemes=nitebrowser --secure-schemes=nitebrowser --bypasscsp-schemes=nitebrowser --cors-schemes --fetch-schemes=nitebrowser --service-worker-schemes=nitebrowser --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\nitebrowser\resources\app.asar" --enable-plugins --enable-sandbox --native-window-open --preload="C:\Users\Admin\AppData\Local\Programs\nitebrowser\resources\app.asar/build/view-preload.bundle.js" --context-isolation --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2788 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
2⤵
PID:4816

C:\Windows\System32\reg.exe
C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
3⤵
PID:2972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
2⤵
PID:4004

C:\Windows\System32\reg.exe
C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
3⤵
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get Caption,FreeSpace,Size,VolumeSerialNumber,Description /format:list"
2⤵
PID:3748

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get Caption,FreeSpace,Size,VolumeSerialNumber,Description /format:list
3⤵
- Collects information from the system
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
2⤵
PID:788

C:\Windows\system32\chcp.com
chcp
3⤵
PID:2088

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe" --type=renderer --field-trial-handle=1692,2681166424714583105,12788556612048015349,131072 --enable-features=CSSColorSchemeUARendering,ImpulseScrollAnimations,ParallelDownloading,WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --standard-schemes=nitebrowser --secure-schemes=nitebrowser --bypasscsp-schemes=nitebrowser --cors-schemes --fetch-schemes=nitebrowser --service-worker-schemes=nitebrowser --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\nitebrowser\resources\app.asar" --enable-plugins --enable-sandbox --native-window-open --preload="C:\Users\Admin\AppData\Local\Programs\nitebrowser\resources\app.asar/build/view-preload.bundle.js" --context-isolation --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4912

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe" --type=renderer --field-trial-handle=1692,2681166424714583105,12788556612048015349,131072 --enable-features=CSSColorSchemeUARendering,ImpulseScrollAnimations,ParallelDownloading,WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --standard-schemes=nitebrowser --secure-schemes=nitebrowser --bypasscsp-schemes=nitebrowser --cors-schemes --fetch-schemes=nitebrowser --service-worker-schemes=nitebrowser --streaming-schemes --app-path="C:\Users\Admin\AppData\Local\Programs\nitebrowser\resources\app.asar" --enable-plugins --enable-sandbox --native-window-open --preload="C:\Users\Admin\AppData\Local\Programs\nitebrowser\resources\app.asar/build/view-preload.bundle.js" --context-isolation --background-color=#fff --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4948

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1692,2681166424714583105,12788556612048015349,131072 --enable-features=CSSColorSchemeUARendering,ImpulseScrollAnimations,ParallelDownloading,WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=audio --standard-schemes=nitebrowser --secure-schemes=nitebrowser --bypasscsp-schemes=nitebrowser --cors-schemes --fetch-schemes=nitebrowser --service-worker-schemes=nitebrowser --streaming-schemes --mojo-platform-channel-handle=3276 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
2⤵
PID:3096

C:\Windows\System32\reg.exe
C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
3⤵
PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"
2⤵
PID:4424

C:\Windows\System32\reg.exe
C:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
3⤵
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get Caption,FreeSpace,Size,VolumeSerialNumber,Description /format:list"
2⤵
PID:1328

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get Caption,FreeSpace,Size,VolumeSerialNumber,Description /format:list
3⤵
- Collects information from the system
PID:2564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
2⤵
PID:4952

C:\Windows\system32\chcp.com
chcp
3⤵
PID:1776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3716

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Program Files\SaveAdd.jfif" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5048

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4336

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v nitebrowser
2⤵
- Modifies registry key
PID:1676

C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe
"C:\Users\Admin\AppData\Local\Programs\nitebrowser\nitebrowser.exe" --type=gpu-process --field-trial-handle=1656,11371743190256263187,16791066504088574480,131072 --enable-features=CSSColorSchemeUARendering,ImpulseScrollAnimations,ParallelDownloading,WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1664 /prefetch:2
2⤵
- Executes dropped EXE
PID:3460

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x524 0x520
1⤵
PID:3980

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
PID:4584

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" C:\Windows\system32\gpedit.msc
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4924

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1328

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1328 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

System Information Discovery