d0fed238df1b0482115b9828d6cc7a9f2b7b396eee530e7f76ae48bdae59436d

Analysis

max time kernel
70s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/05/2023, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Size

1.4MB
MD5

e5c68f7c04f147d6fb620a3ba2bf2c6c
SHA1

2ccd6c85287a40efac5b9855c9cf432f652f03ff
SHA256

fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54
SHA512

04c0c7f4b178bf055c205de05e470c5edff393ee30775600f43fe44fb8a247f6a1f34dde0c2098441f025fa2bc3b614e51628fee7b3983c191c2f9ea0a189404
SSDEEP

24576:rGU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRjL5hAST:apEUIvU0N9jkpjweXt77X5yK

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
548	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
520	chrome.exe
520	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeAssignPrimaryTokenPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeLockMemoryPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeIncreaseQuotaPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeMachineAccountPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeTcbPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeSecurityPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeTakeOwnershipPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeLoadDriverPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeSystemProfilePrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeSystemtimePrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeProfSingleProcessPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeIncBasePriorityPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeCreatePagefilePrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeCreatePermanentPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeBackupPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeRestorePrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeShutdownPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeDebugPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeAuditPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeSystemEnvironmentPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeChangeNotifyPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeRemoteShutdownPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeUndockPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeSyncAgentPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeEnableDelegationPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeManageVolumePrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeImpersonatePrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeCreateGlobalPrivilege	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: 31	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: 32	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: 33	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: 34	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: 35	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe
Token: SeShutdownPrivilege	520	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe
520	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1360	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe	29
PID 2020 wrote to memory of 1360	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe	29
PID 2020 wrote to memory of 1360	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe	29
PID 2020 wrote to memory of 1360	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe	29
PID 1360 wrote to memory of 548	1360	cmd.exe	31
PID 1360 wrote to memory of 548	1360	cmd.exe	31
PID 1360 wrote to memory of 548	1360	cmd.exe	31
PID 1360 wrote to memory of 548	1360	cmd.exe	31
PID 2020 wrote to memory of 520	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe	33
PID 2020 wrote to memory of 520	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe	33
PID 2020 wrote to memory of 520	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe	33
PID 2020 wrote to memory of 520	2020	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe	33
PID 520 wrote to memory of 1680	520	chrome.exe	34
PID 520 wrote to memory of 1680	520	chrome.exe	34
PID 520 wrote to memory of 1680	520	chrome.exe	34
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 788	520	chrome.exe	36
PID 520 wrote to memory of 816	520	chrome.exe	37
PID 520 wrote to memory of 816	520	chrome.exe	37
PID 520 wrote to memory of 816	520	chrome.exe	37
PID 520 wrote to memory of 1124	520	chrome.exe	38
PID 520 wrote to memory of 1124	520	chrome.exe	38
PID 520 wrote to memory of 1124	520	chrome.exe	38
PID 520 wrote to memory of 1124	520	chrome.exe	38
PID 520 wrote to memory of 1124	520	chrome.exe	38
PID 520 wrote to memory of 1124	520	chrome.exe	38
PID 520 wrote to memory of 1124	520	chrome.exe	38

C:\Users\Admin\AppData\Local\Temp\fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
"C:\Users\Admin\AppData\Local\Temp\fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7249758,0x7fef7249768,0x7fef7249778
    3⤵
    PID:1680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1244,i,5748075031358781338,18032720374711376643,131072 /prefetch:2
    3⤵
    PID:788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1244,i,5748075031358781338,18032720374711376643,131072 /prefetch:8
    3⤵
    PID:816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1672 --field-trial-handle=1244,i,5748075031358781338,18032720374711376643,131072 /prefetch:8
    3⤵
    PID:1124
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2084 --field-trial-handle=1244,i,5748075031358781338,18032720374711376643,131072 /prefetch:1
    3⤵
    PID:296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2100 --field-trial-handle=1244,i,5748075031358781338,18032720374711376643,131072 /prefetch:1
    3⤵
    PID:1484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2480 --field-trial-handle=1244,i,5748075031358781338,18032720374711376643,131072 /prefetch:1
    3⤵
    PID:1744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1152 --field-trial-handle=1244,i,5748075031358781338,18032720374711376643,131072 /prefetch:2
    3⤵
    PID:2896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1436 --field-trial-handle=1244,i,5748075031358781338,18032720374711376643,131072 /prefetch:1
    3⤵
    PID:2972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4372 --field-trial-handle=1244,i,5748075031358781338,18032720374711376643,131072 /prefetch:8
    3⤵
    PID:2992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4360 --field-trial-handle=1244,i,5748075031358781338,18032720374711376643,131072 /prefetch:8
    3⤵
    PID:3000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1452 --field-trial-handle=1244,i,5748075031358781338,18032720374711376643,131072 /prefetch:1
    3⤵
    PID:2164
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1244,i,5748075031358781338,18032720374711376643,131072 /prefetch:8
    3⤵
    PID:2724

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
336266bd8765dc8047057dc334e33c07

SHA1
541015c74a1efcecdd66557c14b673053e2c6bd0

SHA256
fb2626d1eb93bcb14cfada4b53b990c69191f2c235626387e793ba7f005c09a3

SHA512
b0e5c9d3cf53193f79e3d83160ade060cdb5ef8ef8e8a5ac54369c90530c62edbeead3a25ffea0e79f2e3d12c14b448085082e5be2b727db1589084eab731e8f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\03D3022805FFAA388F36141B6147B3AF

Filesize
599B

MD5
6c8663fe8faa020469c9339e57665446

SHA1
32ab5b61ae20ba8172325683b71397cc62023197

SHA256
775f674698ad9d93c675f1cf649b7254a12f8868ff2f24ebc5842c386da95ef8

SHA512
a6aef045bf1ed2bd290514a6f5a3fd86bb54c2b79902fd1ae6f09af12ecbc97a2291af7275f0ecf7ad2040b2dd4088002c6c721bd7e7fe8bcdae94e3730ed6b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
b5fcc55cffd66f38d548e8b63206c5e6

SHA1
79db08ababfa33a4f644fa8fe337195b5aba44c7

SHA256
7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1

SHA512
aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D

Filesize
1KB

MD5
49aada71b06970f659875418a65f1481

SHA1
02ba0b8638e509096456ab9ff8c2b707322274a5

SHA256
a884e1e876c746b5a71b41da159c343800a53ee2493fc772cf732cf9bfa91cf8

SHA512
89e3a0b79a11c005755851f6535f9be58e4971dfbae935f4f73506f0e09c5edf12763aa5af6e0535c77b0cf00e3ece02b97bb130a2b2f79792a162df7493fbf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\03D3022805FFAA388F36141B6147B3AF

Filesize
500B

MD5
a7c441a8aa4d3937eb5005060be0976c

SHA1
9d5f734406b556d7499e807fa2b506d1c16baa42

SHA256
a9a1cdfe1e0025d4b120edd0b55faee963fea5c828a322083b99259c4c9f6fc9

SHA512
b5de7bb86506e61ef4711d3aa94e984e66b60b7c1545906dc9689ab08714017de825239e8845f118bf0c98137e12ed01d180033def12761320071ae2d965d7e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cbc59d3a7c42a932c8b6c1abb173451d

SHA1
9e621bc6f26d93681d9172eeba3e3ebde5f34779

SHA256
d90cef99f97a0298accbbbe8d2fe498a29254a827b3539674fd7448f3c4419eb

SHA512
daf44f285b3618d6fc7f5002e1b889c9bc63e707298fadee35b4327aca60efb46e43749151eae249a983f3a8386df01d08f48387dd25ed1dee07b4d4fde49206

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c33c6dc77b18c8ca30a41156fb17e86

SHA1
a1cd7ef9a4a1d56afc339b02b41d216045ca4dc3

SHA256
6ad22f70fd58b11fa977228036d6ddad3bbbaf50d57be8e7a87412cfbcd7908d

SHA512
0832d7a056d92f66bc6ab3b14c99d8ed7237b894216878820db4d957d90158f7cf61fea0ba3c82d379d772ea2a5c3a24a9f89c08da9132b0c87ad5c4a1d7f7ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d88faadf862865bb9551a6106aa11f8d

SHA1
35c2b7d5a29ea33cdb0bdee6ac1944319473024a

SHA256
2582d7090c618b5fc73e45f2f4c7a4f0a346eaf2330144d10ffab0a5a64d57f3

SHA512
184b9955d0055a7e825a4d3624c60b2383d818e5310bdf214d50f02278a9fd548c78c286366dc11dc31ddb8a0cd22c3408f4b3ed148cc8034d021830a81d3d7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D

Filesize
482B

MD5
ce7338210986f83b4a85bcce41361d28

SHA1
4c93d07f15b499a5c60982a78268c39205e829da

SHA256
5ea132bb1ec5dc8a6fa852ca697ae2ea388660749c3ec282fdd186b73bed337d

SHA512
e91781b8ddc08a0e4d476f21556d6b4e79c3e530b841464f10cb4616d967d54b500ded579bdaaf228aba3315dcd9da3ac77cbfc4213e5b96461de522861ce765

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\87297848-d816-4947-9ca6-35e80b97b459.tmp

Filesize
4KB

MD5
1f904efb38d2e1a8d0bd5c6ec624cbc7

SHA1
3e3944da6147cfdd68509e9f110972dd51be10dd

SHA256
4fb4235adf71745292813400a96d14ae27202ad953e7cbbeb786dc6d7e117ff8

SHA512
5243feb19ce05f0ab36d99e30b2458833717f816d499b2c89167b0d812ef4ef18969e113129e142907e76bf9325c14cd6a000f2faa92663e6b642f7be83d796a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1018B

MD5
8628ea2f8db188b54edf6814ba0e4f5a

SHA1
11898a2c6df3b50f71019ca4c6817a35c4946a95

SHA256
1122dcf08e15edb9576205b9a9b4544160733305cc81c192d7c98d38aa278a55

SHA512
2f30867c1be3a99fc6cf6c16c8e247c100ec3bd0ccd30499dd2dc5ddb24c534171e14370cda16a53477e7db2946d6980379649647f817997c047408ec3fa77eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1018B

MD5
56e24e980ccabec7aad937eac81ab5db

SHA1
1c5baea7f8810909f4a1259febc7058fc326be14

SHA256
6034087a8aa16d22df1689239a958a45ac13992c2316b550d6edd196f7d1e7bc

SHA512
d90d03511b50ac5fb3f47f80e4839fc9b5eebc265f8ffcd81f455222fbd7cbaf7507d6caadd28c2b119b6ce5e983106cda780f9e0668a9ad75fc261e092776b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
b2edf1fbd1b5b85cbd2622d45ad1f7b1

SHA1
dfb04fedbb37fe76fd4a7c10926f5a16a41a1bf7

SHA256
d40db732b5f390db7cfc876b3507111af735627d67c4f4425ae553df33fa5c0c

SHA512
d1eb89a647694597e40b39e811a768a4e1b962db8f95d8d56d939b9bcb8c02ca0fc6ccdce7189ff45d0c74cd14afd3707c6f94e1c3016fe88f2cf04d3aabcd68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
11KB

MD5
a33ceb08b2d14456ffb8f3df87b9aa7c

SHA1
9613548af4e91f49ce3a3597135ce82ec498aa17

SHA256
6fafeb4e478edd8a009c37c63d0dd6ed3229742914790fb4594eb2a440b5e0b5

SHA512
6d58f787cca5b75120729adfdae2a6f625954d298fe5f84d71b63c55588f1b61de96ba5311e3d6958f58d9ca0e57df8c359b99cc521cf9d6be6c9e2906b6194c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
11KB

MD5
5fff1742dabfe19ad19b4397db36a16e

SHA1
6abdf966d2896376d1659d96d510b1a3604f6f93

SHA256
06798591b956eca58687e267886e081ae1324e9d08dae3bd1e77fe6f444f7af8

SHA512
c483f13d8c4db6b182e4e9d0133aebd50c8dc1d6c79aceae9d24d792257a153e1e1dd609a31ba83da48062e34c227697fd35c298858b6b2ae9bb18595d9f6882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nndannfdnoaiphfcbbpgkhodebpoiocf\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit