d0fed238df1b0482115b9828d6cc7a9f2b7b396eee530e7f76ae48bdae59436d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2023, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Size

1.4MB
MD5

e5c68f7c04f147d6fb620a3ba2bf2c6c
SHA1

2ccd6c85287a40efac5b9855c9cf432f652f03ff
SHA256

fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54
SHA512

04c0c7f4b178bf055c205de05e470c5edff393ee30775600f43fe44fb8a247f6a1f34dde0c2098441f025fa2bc3b614e51628fee7b3983c191c2f9ea0a189404
SSDEEP

24576:rGU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRjL5hAST:apEUIvU0N9jkpjweXt77X5yK

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4056	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133290282317991635"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
440	chrome.exe
440	chrome.exe
2196	chrome.exe
2196	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeAssignPrimaryTokenPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeLockMemoryPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeIncreaseQuotaPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeMachineAccountPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeTcbPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeSecurityPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeTakeOwnershipPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeLoadDriverPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeSystemProfilePrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeSystemtimePrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeProfSingleProcessPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeIncBasePriorityPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeCreatePagefilePrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeCreatePermanentPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeBackupPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeRestorePrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeShutdownPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeDebugPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeAuditPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeSystemEnvironmentPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeChangeNotifyPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeRemoteShutdownPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeUndockPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeSyncAgentPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeEnableDelegationPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeManageVolumePrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeImpersonatePrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeCreateGlobalPrivilege	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: 31	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: 32	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: 33	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: 34	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: 35	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeCreatePagefilePrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 3788	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe	81
PID 4812 wrote to memory of 3788	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe	81
PID 4812 wrote to memory of 3788	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe	81
PID 3788 wrote to memory of 4056	3788	cmd.exe	83
PID 3788 wrote to memory of 4056	3788	cmd.exe	83
PID 3788 wrote to memory of 4056	3788	cmd.exe	83
PID 4812 wrote to memory of 440	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe	85
PID 4812 wrote to memory of 440	4812	fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe	85
PID 440 wrote to memory of 4852	440	chrome.exe	86
PID 440 wrote to memory of 4852	440	chrome.exe	86
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 3816	440	chrome.exe	87
PID 440 wrote to memory of 704	440	chrome.exe	88
PID 440 wrote to memory of 704	440	chrome.exe	88
PID 440 wrote to memory of 656	440	chrome.exe	89
PID 440 wrote to memory of 656	440	chrome.exe	89
PID 440 wrote to memory of 656	440	chrome.exe	89
PID 440 wrote to memory of 656	440	chrome.exe	89
PID 440 wrote to memory of 656	440	chrome.exe	89
PID 440 wrote to memory of 656	440	chrome.exe	89
PID 440 wrote to memory of 656	440	chrome.exe	89
PID 440 wrote to memory of 656	440	chrome.exe	89
PID 440 wrote to memory of 656	440	chrome.exe	89
PID 440 wrote to memory of 656	440	chrome.exe	89
PID 440 wrote to memory of 656	440	chrome.exe	89
PID 440 wrote to memory of 656	440	chrome.exe	89
PID 440 wrote to memory of 656	440	chrome.exe	89
PID 440 wrote to memory of 656	440	chrome.exe	89

C:\Users\Admin\AppData\Local\Temp\fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe
"C:\Users\Admin\AppData\Local\Temp\fca0a82674863619b79d6793e6164045d7f35482261c898dc903d07bd4ca9a54.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe8c29758,0x7ffbe8c29768,0x7ffbe8c29778
    3⤵
    PID:4852
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 --field-trial-handle=1784,i,5857081937282018595,11754610734727940399,131072 /prefetch:2
    3⤵
    PID:3816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1784,i,5857081937282018595,11754610734727940399,131072 /prefetch:8
    3⤵
    PID:704
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1784,i,5857081937282018595,11754610734727940399,131072 /prefetch:8
    3⤵
    PID:656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3132 --field-trial-handle=1784,i,5857081937282018595,11754610734727940399,131072 /prefetch:1
    3⤵
    PID:4592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3260 --field-trial-handle=1784,i,5857081937282018595,11754610734727940399,131072 /prefetch:1
    3⤵
    PID:2480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3812 --field-trial-handle=1784,i,5857081937282018595,11754610734727940399,131072 /prefetch:1
    3⤵
    PID:4492
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4796 --field-trial-handle=1784,i,5857081937282018595,11754610734727940399,131072 /prefetch:1
    3⤵
    PID:4920
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5092 --field-trial-handle=1784,i,5857081937282018595,11754610734727940399,131072 /prefetch:8
    3⤵
    PID:4940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5196 --field-trial-handle=1784,i,5857081937282018595,11754610734727940399,131072 /prefetch:8
    3⤵
    PID:4684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5080 --field-trial-handle=1784,i,5857081937282018595,11754610734727940399,131072 /prefetch:1
    3⤵
    PID:4244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5540 --field-trial-handle=1784,i,5857081937282018595,11754610734727940399,131072 /prefetch:8
    3⤵
    PID:2104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 --field-trial-handle=1784,i,5857081937282018595,11754610734727940399,131072 /prefetch:8
    3⤵
    PID:4640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 --field-trial-handle=1784,i,5857081937282018595,11754610734727940399,131072 /prefetch:8
    3⤵
    PID:5072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2868 --field-trial-handle=1784,i,5857081937282018595,11754610734727940399,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2196

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
9d0fae576b3a37a3629585e6f8e92631

SHA1
28c4125e4910b8bf3ce3832da907de7c4025b714

SHA256
f9db3e2ec89262268593bec3b89c565a6b9629c488867d1ddf54423f5816d498

SHA512
4c645a027a1d8d767bca9b60b1bcf3de14995483b6bdfe51b1c340c7455fff1e69ffc31d210542db419d2a38fc148473d899c5233ae0b0680f8394566ae06926

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\03D3022805FFAA388F36141B6147B3AF

Filesize
599B

MD5
6c8663fe8faa020469c9339e57665446

SHA1
32ab5b61ae20ba8172325683b71397cc62023197

SHA256
775f674698ad9d93c675f1cf649b7254a12f8868ff2f24ebc5842c386da95ef8

SHA512
a6aef045bf1ed2bd290514a6f5a3fd86bb54c2b79902fd1ae6f09af12ecbc97a2291af7275f0ecf7ad2040b2dd4088002c6c721bd7e7fe8bcdae94e3730ed6b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D

Filesize
1KB

MD5
49aada71b06970f659875418a65f1481

SHA1
02ba0b8638e509096456ab9ff8c2b707322274a5

SHA256
a884e1e876c746b5a71b41da159c343800a53ee2493fc772cf732cf9bfa91cf8

SHA512
89e3a0b79a11c005755851f6535f9be58e4971dfbae935f4f73506f0e09c5edf12763aa5af6e0535c77b0cf00e3ece02b97bb130a2b2f79792a162df7493fbf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\03D3022805FFAA388F36141B6147B3AF

Filesize
500B

MD5
9cf2694aee99a93354b60554eb24f21e

SHA1
c1499786f7ee3cae7de8af7c158189064eff8890

SHA256
8877c3aaca5a8116ec66339bf9a1117071215f09a3f3118145063141fbc6fcff

SHA512
def4231c3d8de426f5e1e40e0c18c8991e403e253e6f66ec8efb6aafd5b289681f7048252975f5055ba9156ef595f34bf458ee1eadb487ec28e569c6fc332796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D

Filesize
482B

MD5
461e2051224727c96747d21ffa60a3a2

SHA1
28850145d478b3c8610af25f279b21cfd8555346

SHA256
3e32b61c031b62c95f5f6329ab1161807ef966192136514d48a22766cdb85f07

SHA512
0eadc741d47d27666b7108b24a157a942e6c6dd179b9316e71d03d99bd93e54f5a330b8696380b00eaeb1784ba21a380757d2d593c5ffe0e8b0c344bf017fca7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
421870a1284f767d1585554052720bab

SHA1
e2d0a3c2255aa437f2638bdcda629468ed4dfede

SHA256
75e541a5e86b151fe4ae27dde6b46900f6c6995fe66432b3d364b6434723ebb8

SHA512
0b596570a561593720128ec8196be1db7d8311e62e31db2e18e33aa3a876a6d5e465eccf59399789756efdade4cb2952d29d67af251e5e7333c916f859aba807

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9afb4a48f86bff9ce3bef78124124953

SHA1
170a97af2bd293e43fad020d6830db5f8c30745b

SHA256
9a4d086a279c06e84d8b7f24e686f887deb11917d98bf32d4227216bf0ad69ee

SHA512
1fb1332130f284bcfabedc2d4aff90f894ba3e382eb06c4c99236f0054b0bc75ae183e85426e7c9a47e255f516a5dd60bc9dbbf8aa87e0caa9294354702b2558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dc018fbbac514ca5c6a1100ad0da9554

SHA1
35897d51bd45195c32dd94e37897ffdc353dd323

SHA256
e085a8a6eb57f9063c67c8dcdbe9f7f4fe4cc9e01e0a4a13ccf70a6acc2ede7c

SHA512
cfc75b17fe6142a71a1232c4d0375be532c2de4b214830c089468acd3272acd5b102f891639886ab4e9ffff7e63c241a6db85faf5cb06a45f186cd929cbc95f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b26c85de1859fc24c78686f7082fa08c

SHA1
a292cbfe2ccfeada9bbec1daad87510816dc2efc

SHA256
ca031058572754e3f38460bb6660f724048c4ab34337eb333114d136a76100e0

SHA512
f7e66cbfedd3bda463112c97ecad5ec0b0e273ea7342a903e8a928ed3e94f40a4612f566899c638d29883b24a6c90cdbe04285d655782e574f60e1d8cdefbf8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
eb472ac8ef417f6126bf342686cbe78b

SHA1
3ccd4f68f0dc55aa62f6a9cdaaa9d93387f78dac

SHA256
deedd4e00933ed9f0bcccb55a26b849cff5ed02731309554e07499f3a513733b

SHA512
665e6d189dac66f6d5eef8173b935377cf8d9395ba715a9982bd8c51c15fa661b7c35b5cfa0ec54d176dc7a1eb412e1d63e9d9dbd450c828acd3176e307892af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c99e20f77b4f860e4df5ec2490afc9a0

SHA1
db834c6202dbfb9823c9ae58966f9d0e2de3280b

SHA256
5250073ef114e2b039630934e0e9c14530a476d32e4cc5b45147e45442a3d0ed

SHA512
ca333b2d4e7cf99dd13b3a2544bea2f814a5ed68967fccc3bd38c3e90a9528cb34869c9bc390d22ec257648a091a2469d9457252c2db5a88c88e61bc7c2be921

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fd7968633013df609f20226f4f5adcc1

SHA1
14fa722e99df01520acc9722a1c64a31dc69dcd3

SHA256
fba90ab322e357437c721b0453b1c276be1b3e3b6610ec1e72ca927286368292

SHA512
877c51f745041aab6ff0525746b5ce40ca26f53e1241dc61b0b834fd886946e9748a9ebf2395c6ebfd2318c17c57be956cab8ee9314f09b41f9bbdff3749bedb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d6c8b5c2f1739b375002f6dda031a17d

SHA1
f6b09bd349b3806deea60e7e1191d378fc5543fc

SHA256
38d0377781e9186e1078be3c92549db8f950fde2ad1791425590218b418325ef

SHA512
9aa9e0cf21044b1367d2b89bb1a125435b7698d6c4527b7dd8eec61d255f2b3ffc75b6224f04e768217a31a0e2786596e019e87ab870dabadf7973440972cc3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a4e57c7f65422b095bbdfb1afcf878ae

SHA1
db442e932241ada9868973c78e25cb3531854ff1

SHA256
0c4ec48d53a37f2bb672ed5f097709c0f2b15c092d5e211d4b62a82779add88b

SHA512
ceb7b413b57ed10dcb1d3156ba432b0fad42d65f651cffc6c950891e1abfbee127354d8c173e003a306b05fe1fd6ee6fdcf0e41d570480287aad08eaf322b34f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a9a0f0013d463314cfd5c930df040a1f

SHA1
d9a5d48a5e7d6826f1417d5817f0add3e934e307

SHA256
856107448c5962d7b63f67023de267eb17d31db343c6d26b12fe5792f699f917

SHA512
04e19863d30ad936321c1915d0a379d62eb117aaf267c289f34df9d6b8371fca8816fee0623bf7a39fbb472c1ee496d49df6b92c5304cf6dc74b3d7a5a1770b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
ab10f6ed5d74287dc5d055c983e060f0

SHA1
2524dd1653d6bb0ae026d25eeaf9ba098b2ee261

SHA256
feb14a86399739a63a67df0e2be3465e531628d5458684199dc32f521d04c669

SHA512
e5362b75f3e009e4c53ba0e93974c9235b358f57a527f08ff9bcfb206398eaa220817612945a43261bd4e79a3be0278ef555c46d74e81ada3a1402e56328b02b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit