ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584

Analysis

max time kernel
25s
max time network
156s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18-05-2023 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Size

1.4MB
MD5

31696a0f32742be2020d4954204b403a
SHA1

c797a43c786884661af2f03e17f4fa7f0412ee8c
SHA256

ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584
SHA512

544a3c3673e28354a3d44cc57123e0be871d4fc89477405d0462557ffe44655a582dcefb7057a627d96c5aea16c8306a3bcb4f0c372536bc13748ed2105885ef
SSDEEP

24576:ZGU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dR7D5hQST:8pEUIvU0N9jkpjweXt7735SK

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 10 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	elevation_service.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	elevation_service.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	elevation_service.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	elevation_service.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	elevation_service.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	elevation_service.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	elevation_service.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	elevation_service.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	elevation_service.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	elevation_service.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1620 taskkill.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1944 chrome.exe
1944 chrome.exe

pid	process
1620	taskkill.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeAssignPrimaryTokenPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeLockMemoryPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeIncreaseQuotaPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeMachineAccountPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeTcbPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeSecurityPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeTakeOwnershipPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeLoadDriverPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeSystemProfilePrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeSystemtimePrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeProfSingleProcessPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeIncBasePriorityPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeCreatePagefilePrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeCreatePermanentPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeBackupPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeRestorePrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeShutdownPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeDebugPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeAuditPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeSystemEnvironmentPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeChangeNotifyPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeRemoteShutdownPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeUndockPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeSyncAgentPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeEnableDelegationPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeManageVolumePrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeImpersonatePrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeCreateGlobalPrivilege	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: 31	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: 32	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: 33	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: 34	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: 35	912	ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe
Token: SeShutdownPrivilege	1944	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

elevation_service.execmd.exechrome.exe

description	pid	process	target process
PID 912 wrote to memory of 1492	912	elevation_service.exe	cmd.exe
PID 912 wrote to memory of 1492	912	elevation_service.exe	cmd.exe
PID 912 wrote to memory of 1492	912	elevation_service.exe	cmd.exe
PID 912 wrote to memory of 1492	912	elevation_service.exe	cmd.exe
PID 1492 wrote to memory of 1620	1492	cmd.exe	taskkill.exe
PID 1492 wrote to memory of 1620	1492	cmd.exe	taskkill.exe
PID 1492 wrote to memory of 1620	1492	cmd.exe	taskkill.exe
PID 1492 wrote to memory of 1620	1492	cmd.exe	taskkill.exe
PID 912 wrote to memory of 1944	912	elevation_service.exe	chrome.exe
PID 912 wrote to memory of 1944	912	elevation_service.exe	chrome.exe
PID 912 wrote to memory of 1944	912	elevation_service.exe	chrome.exe
PID 912 wrote to memory of 1944	912	elevation_service.exe	chrome.exe
PID 1944 wrote to memory of 896	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 896	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 896	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 984	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 1512	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 1512	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 1512	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 1656	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 1656	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 1656	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 1656	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 1656	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 1656	1944	chrome.exe	chrome.exe
PID 1944 wrote to memory of 1656	1944	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe
"C:\Users\Admin\AppData\Local\Temp\ffcf40353ab148d60032eee55ae156fa823eaf0db9b5ffb781025d98e0bc1584.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb239758,0x7fefb239768,0x7fefb239778
3⤵
PID:896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1504 --field-trial-handle=1272,i,16058472434929066057,16744178844387288970,131072 /prefetch:8
3⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1636 --field-trial-handle=1272,i,16058472434929066057,16744178844387288970,131072 /prefetch:8
3⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1020 --field-trial-handle=1272,i,16058472434929066057,16744178844387288970,131072 /prefetch:2
3⤵
PID:984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2380 --field-trial-handle=1272,i,16058472434929066057,16744178844387288970,131072 /prefetch:1
3⤵
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2356 --field-trial-handle=1272,i,16058472434929066057,16744178844387288970,131072 /prefetch:1
3⤵
PID:1096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2680 --field-trial-handle=1272,i,16058472434929066057,16744178844387288970,131072 /prefetch:1
3⤵
PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1352 --field-trial-handle=1272,i,16058472434929066057,16744178844387288970,131072 /prefetch:2
3⤵
PID:2868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1536 --field-trial-handle=1272,i,16058472434929066057,16744178844387288970,131072 /prefetch:1
3⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1272,i,16058472434929066057,16744178844387288970,131072 /prefetch:8
3⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4420 --field-trial-handle=1272,i,16058472434929066057,16744178844387288970,131072 /prefetch:8
3⤵
PID:3028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4444 --field-trial-handle=1272,i,16058472434929066057,16744178844387288970,131072 /prefetch:1
3⤵
PID:2224

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
09e8a69deec92c482c5e99a11f58e936

SHA1
a447a3b2f245420e2ec2fcc905fa9d86a89d6283

SHA256
10da60dce90040d004e0e0e2c742f70992fb9af786f08b0f0ab738568e043422

SHA512
4c7e036192d3cfe57ff80427c870748adeed8c70d1046674018ce783ebb2b89e3407a709436342782d6036fb01941f2ff07d25133a67b278d090d7ffcd689ae5

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\03D3022805FFAA388F36141B6147B3AF

Filesize
599B

MD5
4985ca181bc782e587f08f7114dc4206

SHA1
9b55745e3b5e227b5b7f2e743b4a847f87df16ca

SHA256
087a601137e45c47e40498ece1ecef3695c13cb628352a27855fb69362d2f7ae

SHA512
f660397d011b2dc14575792d714c256962ef252c02733fe21a1865a39435ba0d7ad5b5b7026c01642aaeb092293af9ee4125cddf4ede32ac33afb7b01ecd2f54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D

Filesize
1KB

MD5
49aada71b06970f659875418a65f1481

SHA1
02ba0b8638e509096456ab9ff8c2b707322274a5

SHA256
a884e1e876c746b5a71b41da159c343800a53ee2493fc772cf732cf9bfa91cf8

SHA512
89e3a0b79a11c005755851f6535f9be58e4971dfbae935f4f73506f0e09c5edf12763aa5af6e0535c77b0cf00e3ece02b97bb130a2b2f79792a162df7493fbf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\03D3022805FFAA388F36141B6147B3AF

Filesize
500B

MD5
7042d3686d05b81c20025856e7bf113f

SHA1
3852da69dc633bf8e7934c3d895f31ace1b7448d

SHA256
5e8fdc15a194fe2bcf1a4ee63c727909acf95d2d32f2a8621dad006b73d84973

SHA512
eafb20485f4cd23b9abbe2c87350b55b148137d0c38f08d0b4c5e42e89dec9802d2765ca6935e81362de13b1e0eb199817b2b56a416e9009bcc9b53d0e5e3753

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
696d64e0eebc95915c9c72321f8ca349

SHA1
ce93ebe214cc2d3e519170e697cdf531ba8b64dc

SHA256
7dc4e3d6feb2a06b2890fd2e5967cfacbff0393c2ebf2cab808c78e58a1f058f

SHA512
e67130635d40fb1c508cc7fd88679eaa0b75827040da05940883af88864a550c2e49ad29afdcffaf945203ce9542f2520d3a8ce30ce6fa56e5f53f164ac9d916

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1015bc34d4029844fb46e46cfc8b2c20

SHA1
b55dcbe9071be6127bcf78eead3c80e9d7f70575

SHA256
34cbe00b5193480bcff3bd54b2fd318936c0d1c6ad2234766a9adecb509a63db

SHA512
ad6c0954f2af2177113b121c90f2130b66ac2f5fd7e5394dded0f0ffe8d9824df1522c5f5f0950f92e778c0e0c969f902133584958a98dfe8f9faddaf66aebce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e5561d45ca65ddff10102fbba4fe032c

SHA1
15ae4ab92f4518d35555f2b957ac3f39d446fce3

SHA256
1bddbc6eddd3248ad666b89c5549f71b054095f9eddef74f40ae971b2a078944

SHA512
c951c585f7ef7dbbe6afce682fac633d4453eb44cdc882304116d6ec1dd7968592163f6e13879aa338a901ee0f5788b641f36dc110f6147fca664b0c9cda76c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D

Filesize
482B

MD5
0ad21aa5f62d6af4ec0e16ae822abfbc

SHA1
93527501d49f3a6ba5957c2c3c1d448c7369d5c4

SHA256
ec841528161cd41b537be3e3e738fd7f6fbf882114401f977718325df3b2a55f

SHA512
c32083d4c5ab6c6aca6575001d96fd2ea2423baccf9edf69b625f7c8c183a0931f1cd91542c8b27ec117a7f928b1d8ae11e1d4e86c8dabf20007d68dd9821100

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1018B

MD5
fc74e766791069d37cdebf16a90b4be3

SHA1
a4402543e086daa39eb229bcbaae18404e7fa2de

SHA256
e772769e5fed0b741865514234d39a1642838e137ee13821d1df39f71b68211a

SHA512
3cea0c7ed57a464c7e190b9b90f2bd4319c56da997cb1856dab863e60105d08933c22302f3d4defdde499b6d416d325e5e219a918364b41d64fd439b33c639b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1018B

MD5
1050b3ba1d63e46ba02b98d7e2f1f94c

SHA1
8e20fda26830693f27f9c849f70dc6526a976d68

SHA256
78f50e5be0aae66946ed2b44130db94c932161482b07560b2157a97fa23eba0d

SHA512
a161d913d4f75407b97385a733eefd2b0738815fabc57965fbdbaaa5581b68c199a6824ffe67ec70588b4545a36efd266f2beccd4c99e55d9a6781d50433883c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
e174bb2f8ee5b68a3971d64ec96e5265

SHA1
c5b954df847073457ee49a112bcd46c88267f3f0

SHA256
dc21be609e0f1a4b014582a31688d1023e24dde4ab56a9aa837e89247f5cb30f

SHA512
38e73d0dfe8cf96178424c97123cc9e01b0475438ec3471c710fdb2d44af2b49d4c2ab9bbd95657b5af06abd05bd0f49f9a4960425dbdc08145c61a7885f4794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
1d83b88405601c5c313a87a2ca415244

SHA1
436e2e0f7682c5d06a2cf9963d7d71f0859451dd

SHA256
29aee961820683b864b42c5e81f2f107ec6b62dc925b82ab881aa72e678e7f75

SHA512
4cb7a88cebf5fcb904d3f910134fa005701bbbf4540948a427f880627941390de92a5c7e26a041e7c33eca21644bce76cc8c09284eecc1f493652623496fb162

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
11KB

MD5
eb8f81cf15eb47b17d1973ed785e005a

SHA1
44f15ea87f5d9918e425a869a5ffc33b9a8df4fc

SHA256
cb0bd767f14e7187b329a7e5a1b3f13ec9d2cf97c821a8f9493ffc3891b82df8

SHA512
c2cbc74064e39bb8bdc908b0cc975b8af67b96f2a11e446cdd6366092f9cd8bf2da9078b3fb2090545e02882e4bd3f044e8554d4495896cfe3fd42de4632e13e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
11KB

MD5
19325276e6792f67f2ea7f3581233195

SHA1
59671bfc0d832deba81f226ebcb86d9337921c98

SHA256
076e74642d0516bae27e1e5b0fb74a94944d0d4f021f83a4865d9da89906b911

SHA512
38171c69083a75a6d056a888b2d1596a73598f59505035f0cc9b8422ad2519107241f5a1b7f1d3367c98879478154955fabaa9f5eccb0964a5733e15f12cfda8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nndannfdnoaiphfcbbpgkhodebpoiocf\CURRENT~RF6c715a.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fc8c460f-60f0-4c20-a048-075bc8d09d30.tmp

Filesize
4KB

MD5
0f2e08fc15dad2f24f345bad10d530eb

SHA1
604908607222c38bda86c0ee850424aa96203c4d

SHA256
0d10a5baadf7b45124a59ff2fff7a5012807e5784c0b3a838b76bec503404841

SHA512
9d8e988ff5f510e5394d878775f47270ceaa832e3247c55b2826691307e05af128ff9902b26d6324a86404f051cd507a7bae5faff425c4efbc6e978968d5d6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3B63.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
\??\pipe\crashpad_1944_VFFASWQGMMOISNCR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit