1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
19/04/2023, 07:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Size

1.4MB
MD5

5df62b8bf702b566ee374eb01b69ae1e
SHA1

cbde6930c79f49130837bcec23c089273a7d0e1e
SHA256

1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77
SHA512

20ac10f4d55a1884dcaa3dc62647881f152b723d940a6fa054f634f6dda7d129daff30526d5a7e6720c3f451060b6d6501b772bbc8e12a20d5190fc8dc42b314
SSDEEP

24576:yGU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dR3p5hISI:hpEUIvU0N9jkpjweXt7755GR

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4608	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133263694170484065"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2840	chrome.exe
2840	chrome.exe
3204	chrome.exe
3204	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeAssignPrimaryTokenPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeLockMemoryPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeIncreaseQuotaPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeMachineAccountPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeTcbPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeSecurityPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeTakeOwnershipPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeLoadDriverPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeSystemProfilePrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeSystemtimePrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeProfSingleProcessPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeIncBasePriorityPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeCreatePagefilePrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeCreatePermanentPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeBackupPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeRestorePrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeShutdownPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeDebugPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeAuditPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeSystemEnvironmentPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeChangeNotifyPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeRemoteShutdownPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeUndockPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeSyncAgentPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeEnableDelegationPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeManageVolumePrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeImpersonatePrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeCreateGlobalPrivilege	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: 31	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: 32	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: 33	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: 34	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: 35	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe
Token: SeCreatePagefilePrivilege	2840	chrome.exe
Token: SeShutdownPrivilege	2840	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe
2840	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2140	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe	66
PID 2932 wrote to memory of 2140	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe	66
PID 2932 wrote to memory of 2140	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe	66
PID 2140 wrote to memory of 4608	2140	cmd.exe	68
PID 2140 wrote to memory of 4608	2140	cmd.exe	68
PID 2140 wrote to memory of 4608	2140	cmd.exe	68
PID 2932 wrote to memory of 2840	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe	70
PID 2932 wrote to memory of 2840	2932	1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe	70
PID 2840 wrote to memory of 4700	2840	chrome.exe	71
PID 2840 wrote to memory of 4700	2840	chrome.exe	71
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3756	2840	chrome.exe	72
PID 2840 wrote to memory of 3752	2840	chrome.exe	73
PID 2840 wrote to memory of 3752	2840	chrome.exe	73
PID 2840 wrote to memory of 3052	2840	chrome.exe	74
PID 2840 wrote to memory of 3052	2840	chrome.exe	74
PID 2840 wrote to memory of 3052	2840	chrome.exe	74
PID 2840 wrote to memory of 3052	2840	chrome.exe	74
PID 2840 wrote to memory of 3052	2840	chrome.exe	74
PID 2840 wrote to memory of 3052	2840	chrome.exe	74
PID 2840 wrote to memory of 3052	2840	chrome.exe	74
PID 2840 wrote to memory of 3052	2840	chrome.exe	74
PID 2840 wrote to memory of 3052	2840	chrome.exe	74
PID 2840 wrote to memory of 3052	2840	chrome.exe	74
PID 2840 wrote to memory of 3052	2840	chrome.exe	74
PID 2840 wrote to memory of 3052	2840	chrome.exe	74
PID 2840 wrote to memory of 3052	2840	chrome.exe	74
PID 2840 wrote to memory of 3052	2840	chrome.exe	74

C:\Users\Admin\AppData\Local\Temp\1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe
"C:\Users\Admin\AppData\Local\Temp\1d1d06aa3208fde11e450d944f044f1202ee622c4ac072e457ccbc53e66d7d77.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8dddb9758,0x7ff8dddb9768,0x7ff8dddb9778
    3⤵
    PID:4700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1616 --field-trial-handle=1744,i,10415570743766329023,17538626694493118319,131072 /prefetch:2
    3⤵
    PID:3756
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1972 --field-trial-handle=1744,i,10415570743766329023,17538626694493118319,131072 /prefetch:8
    3⤵
    PID:3752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1744,i,10415570743766329023,17538626694493118319,131072 /prefetch:8
    3⤵
    PID:3052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3092 --field-trial-handle=1744,i,10415570743766329023,17538626694493118319,131072 /prefetch:1
    3⤵
    PID:740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1744,i,10415570743766329023,17538626694493118319,131072 /prefetch:1
    3⤵
    PID:2968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3676 --field-trial-handle=1744,i,10415570743766329023,17538626694493118319,131072 /prefetch:1
    3⤵
    PID:3416
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4920 --field-trial-handle=1744,i,10415570743766329023,17538626694493118319,131072 /prefetch:1
    3⤵
    PID:3424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5060 --field-trial-handle=1744,i,10415570743766329023,17538626694493118319,131072 /prefetch:8
    3⤵
    PID:5068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5056 --field-trial-handle=1744,i,10415570743766329023,17538626694493118319,131072 /prefetch:8
    3⤵
    PID:5112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=1744,i,10415570743766329023,17538626694493118319,131072 /prefetch:8
    3⤵
    PID:432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 --field-trial-handle=1744,i,10415570743766329023,17538626694493118319,131072 /prefetch:8
    3⤵
    PID:1556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4572 --field-trial-handle=1744,i,10415570743766329023,17538626694493118319,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3204

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
5e7535a5da1d3f34fb03c47e552dd138

SHA1
8e969b5b04426dc86d9af67e46f4785c88a3f025

SHA256
0b01fb19d4d45218ef71a1323625856dbb99fecac4b675cb1f130bb1c921d152

SHA512
4c72f5f2d509affadd88b1618229c2b3ef96cc9e607bf030726ff307d836c15069b7fc92180822725e4fa337b728b5ba686d1afc0f02acfcd7f87fd3062d0ed6

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\027b56f6-0874-4a60-a7ba-5aec6042f4b0.tmp

Filesize
5KB

MD5
d259f691a3c772b276c634b3feaa1664

SHA1
8be487ae13a09a24120064b2ee7238c06f7c6ce3

SHA256
8d1e1201906631c52b64f2c0039345314b91fe508d474fd5ce4798f4859dd9cf

SHA512
d80523c884971a2c89c4e76f926876e6b3455292cfaae44e8ab1c69f28522123ecd5f6df07627642460aab605e1302802e7d082ff0d1c0b160fed8434b58b6a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\21f6637f-8a72-4423-b586-ad4ac1cb50ae.tmp

Filesize
11KB

MD5
a6ac8eb13c1251f577e6f741317b5001

SHA1
d41fa817b77b7e4ed8368cea407cb86b46d1c747

SHA256
d5e635b80825bc031cc6029d5da77f6e8b001e5eb453dfd304382c6c6755e9b2

SHA512
25804f314e17140bebf127dc9925ca13f9632d852f0e53eb00fa9d0dc3556e88754d6b1a01436410bbdab3e95a5feaab883d5a9d2be8512ce817227b7300baa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
527e832a844a2bed0354f7e38d707a20

SHA1
6e25a4fb48b82304e3417546a52eb78ef5a0c992

SHA256
c24daddc1864bcbdc1d09187c2b8335c8be69c526da28a774e483d11a2f7ad64

SHA512
0a61b47e20b2f42cbbb6b0316a75461c508751bde4bdf6bc2418788d6e0ee724d196507256496507bd90de22d31c6b571c8d07786aae673aa996c617187b890f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
19a591b4b361a24d4be62cd41c7764e7

SHA1
80920302c86c96e7f62d52aaeb66321f63fbcad2

SHA256
45555fd753f40278dcf00cbfb7ef59739514c575975124351c09b3c0c1611ae0

SHA512
98b3a930b080d3d71522b69f996b4b1b95b8b836f899bed06fb8ff0d08aa86bd0c6c5d4056d8f1bc53b3aa68828fa1a383abfc7be539710dd56c223ef10bde85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
a34158ea49079576fe8ab74744675695

SHA1
68d150ef04fe81d8f7d38a1d1747d36635987f5a

SHA256
b665001df328145efa5b0686dfc1fca12d7bc33d1b8695cc37b689715f92c350

SHA512
d1bb9b5e65f95f974e2446a353562a6b1ab3240da269c97e82ff3c770a3d2ade245941c9b4f87f064590d12079140e386c464bc641d00ba5be7d37ee12e26550

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
b3b1f44294995c5b0ebc591e07983e48

SHA1
0bcf90246eb77356722a83ff01c87e351bf5d42a

SHA256
a099214a1be316579c1079a6463c84f15cfcde0ce6c9513f83c4cd0b28c8e160

SHA512
5532903fe9881f6ef04a3a73765cbefd820f8ce882f136ed91c712e9e68a6c88a6d00048c4fa4325be830cfcf0f48ad89bd34e91601c12bc66fb77456eb3e481

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
1c9a174db24c7f9b0aeae3d9c9923c27

SHA1
7a5097cb00f5206e6b4cda28590216a6fad62766

SHA256
da6e2004ceee19fa72e4068f86845780e872f15edba5e144d559822021545019

SHA512
b8c246c7fbab42f61faad8068df4f9728aa480e68aef90d49c668534873a8a00a490fa7da6b3b346eb14b30c753b33f97efd588ed64ebd9481c971ab55ce54bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
2f80f4d550df512b44cb18cbb1b861df

SHA1
a150621999f139744c94592dbc667714e83771f7

SHA256
09b5f0f20cce56e3fd9bdf2b468d0f23457b721ca5e6916b684140eefbafab1b

SHA512
e29959e3e12df1ec6ec61a3af238683f28d3e4b92af13a63a82c2a03ac5c0b8e63756d7ebeca36d5ef827775ec1fec23bafdc56261b0a2d2e3cbf92974a5be13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d867d429168d46712c42f4a3edf856e2

SHA1
94cff473072faafa78c6dd963b0f75c45b213560

SHA256
fb0d5e2ff3d021b263fec96ad1cced52b289cd6812b0022f26d46fba587bd375

SHA512
582eb6df223d5234b61935b9bcd7fd10a4ff0a8ba4b81dfb4888f6a0fa20ac0b12af8979b0aac1afe8a6ab51952e6c4d8d85ef0f4174446415d03348adf4c4bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ba21ccc8fa8dfeecf2250fc90ef5e324

SHA1
c9c8296168ce9f467ead48d5e50caacf0be6af63

SHA256
91690a20368e491f5cd0790c6a4713e0da3ceec9c1467372ee04a777c07d1b2f

SHA512
e60b8d34727ca5c47c6d35e29bd9ab53e52751752231fe695df3f7c2ef600ecbaf97cfc04705e8259164d9c366b70b360071702a08ab6af220b8754d7d7e8090

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
11KB

MD5
c836b7216a656c4484d18f9845798b20

SHA1
002509261f7a2decf9495e830eed7e6d8575023e

SHA256
b93ae9e78106f5e3e8d1d3ef53f0be8679c241050c5fc659f74b726e459f51ba

SHA512
cbdecc532de57455ca4c748bba63df38c5ebdf3db7d30935080010c7e9fc1808d83f12a4e3bba636d773b3aa4b911c400ee07e3f4c78fe5b14413cf24e26a437

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
200KB

MD5
6cebea9382f63400638969382e656394

SHA1
8b6a3bde95bb26794c20dd42485a6aac782ba09d

SHA256
a266bced2a82995a387e15192b1be8f8efd7e3691463b21a2bc91453f6f44e91

SHA512
6474ba1de66fe692dbaf4b0ee1e02641153486edf8d03a0862f75ef03f6230f1b2fd9bfb3d54b260a2378f95e02793bc944319e1a32de509dd818f32fdbc5735

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit