590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Size

1.4MB
MD5

d7497df36ae73bef6d1d8aeaa26f7a9e
SHA1

8517bcce345005aeb76b88f77695afe1a889a29d
SHA256

590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b
SHA512

f865cfa1ea527994393e2bc483dc69807453d5989ef2f226ff35574f82f6c1591d2e1b8789d4b97f947184ffa75b63e7e38a427a682d1da50973f0674e8387e5
SSDEEP

24576:vGU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRj85hKSL:upEUIvU0N9jkpjweXt77Q5Eq

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
384	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133264682979972802"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
4788	chrome.exe
4788	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeAssignPrimaryTokenPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeLockMemoryPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeIncreaseQuotaPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeMachineAccountPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeTcbPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeSecurityPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeTakeOwnershipPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeLoadDriverPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeSystemProfilePrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeSystemtimePrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeProfSingleProcessPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeIncBasePriorityPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeCreatePagefilePrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeCreatePermanentPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeBackupPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeRestorePrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeShutdownPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeDebugPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeAuditPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeSystemEnvironmentPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeChangeNotifyPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeRemoteShutdownPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeUndockPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeSyncAgentPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeEnableDelegationPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeManageVolumePrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeImpersonatePrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeCreateGlobalPrivilege	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: 31	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: 32	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: 33	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: 34	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: 35	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
Token: SeDebugPrivilege	384	taskkill.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 636	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe	83
PID 4416 wrote to memory of 636	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe	83
PID 4416 wrote to memory of 636	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe	83
PID 636 wrote to memory of 384	636	cmd.exe	85
PID 636 wrote to memory of 384	636	cmd.exe	85
PID 636 wrote to memory of 384	636	cmd.exe	85
PID 4416 wrote to memory of 3160	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe	90
PID 4416 wrote to memory of 3160	4416	590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe	90
PID 3160 wrote to memory of 4868	3160	chrome.exe	91
PID 3160 wrote to memory of 4868	3160	chrome.exe	91
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 996	3160	chrome.exe	92
PID 3160 wrote to memory of 1532	3160	chrome.exe	93
PID 3160 wrote to memory of 1532	3160	chrome.exe	93
PID 3160 wrote to memory of 3172	3160	chrome.exe	94
PID 3160 wrote to memory of 3172	3160	chrome.exe	94
PID 3160 wrote to memory of 3172	3160	chrome.exe	94
PID 3160 wrote to memory of 3172	3160	chrome.exe	94
PID 3160 wrote to memory of 3172	3160	chrome.exe	94
PID 3160 wrote to memory of 3172	3160	chrome.exe	94
PID 3160 wrote to memory of 3172	3160	chrome.exe	94
PID 3160 wrote to memory of 3172	3160	chrome.exe	94
PID 3160 wrote to memory of 3172	3160	chrome.exe	94
PID 3160 wrote to memory of 3172	3160	chrome.exe	94
PID 3160 wrote to memory of 3172	3160	chrome.exe	94
PID 3160 wrote to memory of 3172	3160	chrome.exe	94
PID 3160 wrote to memory of 3172	3160	chrome.exe	94
PID 3160 wrote to memory of 3172	3160	chrome.exe	94

C:\Users\Admin\AppData\Local\Temp\590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe
"C:\Users\Admin\AppData\Local\Temp\590ba1e7ae66fd62d1fc4933fba8ecc75827f390a6039405ff934954fc8b722b.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecfff9758,0x7ffecfff9768,0x7ffecfff9778
    3⤵
    PID:4868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:2
    3⤵
    PID:996
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:8
    3⤵
    PID:1532
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:8
    3⤵
    PID:3172
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3208 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:1
    3⤵
    PID:556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3344 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:1
    3⤵
    PID:452
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3920 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:1
    3⤵
    PID:3596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=5044 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:1
    3⤵
    PID:1900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4876 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:8
    3⤵
    PID:1256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:8
    3⤵
    PID:2956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:8
    3⤵
    PID:4932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5316 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:8
    3⤵
    PID:4736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:8
    3⤵
    PID:4000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:8
    3⤵
    PID:1280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:8
    3⤵
    PID:1308
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=856 --field-trial-handle=1832,i,8246687890361250357,16011254188140046583,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4788

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
c01ea4c6161836d2bdae41c7598aec4a

SHA1
56f900c7a0a4772b61ac0a9d12a93849910fb366

SHA256
3def7148c48008153405d7741b20e426ea32cc4b1f208159c4a667d67e5a8a60

SHA512
e26f7adab043d13c0a554fe6fd66166720e2e59abf0aab15cde34aeada1911340b2821f379b3b3f119dec8e5e76a569e36d011c03f202c976a52acba1443cd18

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bab98fb7493d7e371f50f1684921280a

SHA1
f1437ba02b42fe6f23586e48fd243b7149153624

SHA256
f442ae7fa91d369c5ecd82b2f6db2eb958bc239fefea33d654bf98f5e9ad3c5d

SHA512
b31416ba38e2d1488196e65e2a6095086471d8b256972bb13e7872c54f90a664b77ed0e114cd77ca4474e0eb0b8530961dae05e426bf8d21c04219da586272af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
2d4a519f4f4d53a3a1a031266c898b78

SHA1
3700b2e1239eae2dc7c8874a38b88314d97861fc

SHA256
05caec775c38d4eb6c151040927361046128b7e3badfdd844fca8c4d5ab7f174

SHA512
bd306e13282103d06880d2bcad07420956d085cd0c8983816d254022b95163bdbae19f341ed991e0aa2e9586fd88b9aa63eb90bfcf5ccaa3b8e100b9be9727b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
39a0f53d11ca1013da5264b9434e609b

SHA1
c83923734490061a42146e48b409265e56d6bdb5

SHA256
17d3ccf8fca0026dbb72e062af29b17cc834d4c566345f615aabc4b47a44496b

SHA512
54e9ebdc570d14af24b8c44834347b059f41a569b19b22c69d03f1c9322b380bcf9857d6efbf1ff8ffaf9b5428d1b192295267b85bf151134c2d0c1547021c0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
baf2d8432f42c4e559bca6d24ce8d65f

SHA1
516c9a98d3b0cf5f854bb16999ec8dd4dd1b7dd3

SHA256
d8d4b152b83f62925f501c2775a708e77b9e5886b0560065c199a0a968a8f63e

SHA512
566a3d92f6cb05abf23cda4e52fabcc8ff16565cc3d5fb0b974aea60f02964fbfd61be7c914c59d678f5ab69da99350c82d4abbb411c4ccba426b9750213337f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
b90ed307af20b6d07231c526291250bb

SHA1
250bc219f3ef2c63eb55fb8ee63bf24f8c312a45

SHA256
d6c4d58091cace5e715495fab24a6c767e080a3490f3f5d0d539c1ff8ed15dae

SHA512
3bcdab53bb8ee305c46e9f1dd1ab58f67ccafe03f5a62c6bf9e775f6bd27dda7b309593d9c919ab248552266ca5ecda8540a09b51c47a4818a7554bb678008e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2bdf24e37cf9f78f1c28f7d783ba91b0

SHA1
392d16a920451388b8cbfbe287aa25479413d9bf

SHA256
5ef0fdcebde0bf6ad227ebecfc3c285d8dd5a509204e085dcdfd4796c46f11f8

SHA512
144795decef21145c9fe7fae7213f5e15a11fd41eedd1847aabae0df71969aaff70fb8de24898e443b66e2b3b42717d1785e8aa50c454e94df4c000ab30278af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
544df28e796429ddb8829148e9da18f3

SHA1
b0353e32cbe38f6a020b305588691d63a2fdc180

SHA256
b97ef49cf8b82f62a51b0bfabcaff9f7b07013c8e768624157f7adf05652c9e5

SHA512
e69d5b01189ad00336c09eaf6c9edd6baa1cdffd2f8ffc3434c7474082dd5d12f91941a68de0c06ebece022a7f24c13556ad5e7c7f2439517e2b2d3172796401

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
1cb8a8299921d6e0c6aebf0d6d422bda

SHA1
84772e39f1361d103801faaeea9ba09a66d0ed2a

SHA256
6130dcd359cad8069de8f4b0dbfcccc8489af3e4be81cfa1862f6276e4172e33

SHA512
62069d87faf3568de4efff4512b088b9b9bc35816818d44c205ac95d6142102be664fd3fe929960548c420940c05b68bf238dadd8ac123b6334a2cb378e560f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
d098eec9621ddfbc3635073fdbf987c2

SHA1
041ea16d87d0b37c971cda7f1de3c4851c5b907e

SHA256
274f05619b25f4d0346f9bc81893d8a952a52266588e0c2e8ce9394f31e4d3a7

SHA512
acee7f79e9cf29825d3fff822f610c98019674b790980819990e1c8b115a73541ab686de98acce7783fcadfc22cf14877a0b2e07850f0e4852ea136f9deae898

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
202KB

MD5
4c399770d2a1bba093bb9d427df49aef

SHA1
e07654ac720939a600038dfcc0b72211ef92efef

SHA256
ebcc49460220acd72ad552d4e1296d3d1461ca7e4e3ff16639c62d035a06be6a

SHA512
b856ee0b6e7cf20557f8fe8584fd5cf3ee7959f19f0e719bf3fdd82f170e92990fc85a6fd5f96e709bb84ad2f0568955a4a959cf680bb68d30d90e90f694e4ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
202KB

MD5
ff87054b5a400ae01e04e9043e58e44d

SHA1
ab9c6c1772fe366ebfd4ff38795f662783835b38

SHA256
6b388c74ff8e8c497882b3d683532116de06cd127d7b7195789bbebd9389e810

SHA512
d006e50e34c3758c2aeb8d94dc2baea2810b22492a5734abec6ae9babb394d2582246e62679ebaae1779f33c2cfa83c436657027f0a5b7bb79eeff65c5fc894e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
72KB

MD5
b4dfff8be59b57567f77f1c46ef67086

SHA1
3405210195a90964a2578392b7c81389cc89c8a3

SHA256
ab6995724e148e4300d6da5f9623a12b4a3cac04033d125778a8d2c3d0c9baf3

SHA512
592b1a6084206d1aa3bf59898a0e82a443bb37ec3902863b329f6307f0c4deca4762ded70d7a9a736f82bbe2d1cf0e88e0982ec945ec913c29b7f787ca2d54c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
8a3df76320ca86f687534650b188e3a6

SHA1
a90dce2e26ffdbccfecf2917ae9398eb018a22fd

SHA256
0231509df7800e6ad70f2f383391e611f320896718375f26fe45cc8e3e7f2dc2

SHA512
64a5963a019dd6168c8b29ab25eca006fc0801ed1019c593d22225eff2cba2247fbce19638b9bca487a1b220d137f8281bf72547be73e57a2abd8e0ab875d66f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit