97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115

Analysis

max time kernel
150s
max time network
151s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
20/05/2023, 05:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Size

1.4MB
MD5

6367bef91e70089257f9f828e8017d58
SHA1

c921748e33161e18648da5c57ac2b1ba621c4209
SHA256

97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115
SHA512

06b841f735f2487b679392f0a5f9e01381898b486cd49a5486686e749b5f5895487a73a03a34b6943add16c8218ace8cd7e2d12dbc5a69018e39022ff07faa68
SSDEEP

24576:4VYkTpy0OVnKhXJ04BJFKA3wRKB7a9WscrmCqeQrEbR5hytiW:0pJOl8xFMRy/SeQgl5oYW

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4548	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133290358379542025"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1288	chrome.exe
1288	chrome.exe
2528	chrome.exe
2528	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeAssignPrimaryTokenPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeLockMemoryPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeIncreaseQuotaPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeMachineAccountPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeTcbPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeSecurityPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeTakeOwnershipPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeLoadDriverPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeSystemProfilePrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeSystemtimePrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeProfSingleProcessPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeIncBasePriorityPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeCreatePagefilePrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeCreatePermanentPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeBackupPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeRestorePrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeShutdownPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeDebugPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeAuditPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeSystemEnvironmentPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeChangeNotifyPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeRemoteShutdownPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeUndockPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeSyncAgentPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeEnableDelegationPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeManageVolumePrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeImpersonatePrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeCreateGlobalPrivilege	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: 31	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: 32	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: 33	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: 34	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: 35	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
Token: SeDebugPrivilege	4548	taskkill.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe
Token: SeCreatePagefilePrivilege	1288	chrome.exe
Token: SeShutdownPrivilege	1288	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe
1288	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 3240	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe	66
PID 2288 wrote to memory of 3240	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe	66
PID 2288 wrote to memory of 3240	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe	66
PID 3240 wrote to memory of 4548	3240	cmd.exe	68
PID 3240 wrote to memory of 4548	3240	cmd.exe	68
PID 3240 wrote to memory of 4548	3240	cmd.exe	68
PID 2288 wrote to memory of 1288	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe	70
PID 2288 wrote to memory of 1288	2288	97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe	70
PID 1288 wrote to memory of 1480	1288	chrome.exe	71
PID 1288 wrote to memory of 1480	1288	chrome.exe	71
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5072	1288	chrome.exe	73
PID 1288 wrote to memory of 5068	1288	chrome.exe	72
PID 1288 wrote to memory of 5068	1288	chrome.exe	72
PID 1288 wrote to memory of 3588	1288	chrome.exe	74
PID 1288 wrote to memory of 3588	1288	chrome.exe	74
PID 1288 wrote to memory of 3588	1288	chrome.exe	74
PID 1288 wrote to memory of 3588	1288	chrome.exe	74
PID 1288 wrote to memory of 3588	1288	chrome.exe	74
PID 1288 wrote to memory of 3588	1288	chrome.exe	74
PID 1288 wrote to memory of 3588	1288	chrome.exe	74
PID 1288 wrote to memory of 3588	1288	chrome.exe	74
PID 1288 wrote to memory of 3588	1288	chrome.exe	74
PID 1288 wrote to memory of 3588	1288	chrome.exe	74
PID 1288 wrote to memory of 3588	1288	chrome.exe	74
PID 1288 wrote to memory of 3588	1288	chrome.exe	74
PID 1288 wrote to memory of 3588	1288	chrome.exe	74
PID 1288 wrote to memory of 3588	1288	chrome.exe	74

C:\Users\Admin\AppData\Local\Temp\97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe
"C:\Users\Admin\AppData\Local\Temp\97d24c0b91de405d4d8eb207853840a1136f48a06929d8c47ffc9e09d7e8a115.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd37429758,0x7ffd37429768,0x7ffd37429778
    3⤵
    PID:1480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1884 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:8
    3⤵
    PID:5068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1588 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:2
    3⤵
    PID:5072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:8
    3⤵
    PID:3588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3144 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:1
    3⤵
    PID:4604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3088 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:1
    3⤵
    PID:4772
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3580 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:1
    3⤵
    PID:4568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4936 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:1
    3⤵
    PID:2820
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5088 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:8
    3⤵
    PID:3808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:8
    3⤵
    PID:4428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:8
    3⤵
    PID:3268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5496 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:8
    3⤵
    PID:3428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5672 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:1
    3⤵
    PID:1724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:8
    3⤵
    PID:1392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:8
    3⤵
    PID:2896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3716 --field-trial-handle=1944,i,15992378263490660493,6664940462860754399,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2528

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
e136890616ae87a4e4d195923561a56f

SHA1
6983cb06f6fab1c0d2e5efb5963c7c80b0574c47

SHA256
c7fb3a045c0260f5c9b547fa41803a6db5cb0f0461b31dcd71759f1e549cdbfd

SHA512
4550a1c78f86d6bfb265b15293ca6c53275e3d0ea7b7f7242f587b68cf7d98a6acd7cd4ffb5ca40fb6ef19da62d33fd1fb7cc26ca24af7b3d4c3aabaa7e51639

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\03D3022805FFAA388F36141B6147B3AF

Filesize
599B

MD5
6c8663fe8faa020469c9339e57665446

SHA1
32ab5b61ae20ba8172325683b71397cc62023197

SHA256
775f674698ad9d93c675f1cf649b7254a12f8868ff2f24ebc5842c386da95ef8

SHA512
a6aef045bf1ed2bd290514a6f5a3fd86bb54c2b79902fd1ae6f09af12ecbc97a2291af7275f0ecf7ad2040b2dd4088002c6c721bd7e7fe8bcdae94e3730ed6b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D

Filesize
1KB

MD5
49aada71b06970f659875418a65f1481

SHA1
02ba0b8638e509096456ab9ff8c2b707322274a5

SHA256
a884e1e876c746b5a71b41da159c343800a53ee2493fc772cf732cf9bfa91cf8

SHA512
89e3a0b79a11c005755851f6535f9be58e4971dfbae935f4f73506f0e09c5edf12763aa5af6e0535c77b0cf00e3ece02b97bb130a2b2f79792a162df7493fbf7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\03D3022805FFAA388F36141B6147B3AF

Filesize
500B

MD5
b92e292c773ccdb565361b6836030b2c

SHA1
1592d884be768e51d4218d1b5f7f5eee93e2299e

SHA256
9f022297368a95b815cb535b7ca12edbdc66a4df9d9933d95e48334460c8dafc

SHA512
8f3094b6d8de8cac7be3270861deae1ec15c1b5f2f7877338f815f0fb93708bfdbb020a18e18d154e30a3be27cc4d6e5735f1b6ebabbf2b2fe5a53862a8920ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329D

Filesize
482B

MD5
2309c8639fb458cc1c5d965d8b799838

SHA1
2940c253905c3e8b0ae80896f5df22e12ace14a9

SHA256
928818c74cf49bb267db0f834e078ffa1dad87f302396d0adfcf5649932c8698

SHA512
22247ff3c06fb139ccaacc02d910f9f1e9ec21749cacabf6e4b7beb79f72de7d33326207146f9079063c64b4380b7681cd187ef2cec5af7cb0a440c178e79c2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\95691467-6058-495c-8be5-bb419a75e2d8.tmp

Filesize
11KB

MD5
56122b1c9366057badda7af8c0baf595

SHA1
61267082e3bae30defc1b5050bafb87ead851431

SHA256
8842f4fa1920321a422dd26468b9ef5f76df14a05c4dd8d2cc6b336b70605942

SHA512
8773c268f945f097483ff2eef8ed7401ae34cdb7e74f01eadb2f5e475f4f58b723d978914822d92bdd24636315299c33ec04d05412082f8a89ca1b4e33197da8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b2d84cb07fd81d60df845ae51b48a74d

SHA1
e38de899d70157fe97fefad24d531c6fd2279c36

SHA256
d2f61cd9e7561b60c8311f963d5b07b96cceada9814533ec5e046c539779a210

SHA512
b3742f06b161fb72b3a53f0c0417bb59a7a33117ddf7995f7c449f1a18c99d2d7843619ca9a4636d6a258296e6e1c7516b8a30f7fdc470835189790e3fe1be42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e78449af08b25e9a640fc53752a2c5c5

SHA1
1ea832bfb3683a40a65610ddc469c0772b29860d

SHA256
078772797e80f1e4a7c05dfb021cff52b9b1acc1abf6343267638c64b1d3ec74

SHA512
5e2e59a6ef8b7524b78bac9f74d386bb6bdc2565e360234c35929f9c2d178c76180ac66e17f263125d1756e8e79edf441a49102e28a8b51a00a6ba827753f8d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
0cfc68d0c89b23639f7df12d3d83a973

SHA1
8acda58cf339136fc63bb95d158f22dcfbb1539f

SHA256
482fb90b5380e323f7e214999b780b3ff34a35ecff5336fed9cc1d565b9a30b5

SHA512
fee8766a2382ba477c3670133e9039117497c1b25dd0a8af4f931974287991806fced28e9e60f428ff887b7dc91d93f838a2bc600a59b45d6bbb585dca668362

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
083afa5fce8bc9e1ef727ebc1d94650f

SHA1
4c5570e0486debdd1961d61fa57d113feb093101

SHA256
34af38a203d851e013df9343329c8432d8f23e89adc43466b72ecbe455a3a8bb

SHA512
b38d324d21f6a4cec92bd088f88762f3669bdc84ce5e44929b832fff3c8dbed9aeac2c60a861cd44ccda1fa3ff3e4e83b3cb3e7b84af9d4dc0d037490cc99ab2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
5bb7e92a8ab37ee7c89cdba1f6b14839

SHA1
5c3ca2c23d199216e04bfc3042b90ab796d125e6

SHA256
e28b31f0a2210d0dbb8a19dc11c58cb3cc0c6cb0149a662b51af4ea3de85b30e

SHA512
9df4957342efb29d7ff0187c35e76cc3b0622ec807150012039442c392f1c5193d0e075ad38f38966830554559c2b081017cbed3823adf32de325054579a0081

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
73edddc10f32614fee8eca241c1e4d75

SHA1
7d9eb618d01050af0c7c61b5fe5c0462be8e70cf

SHA256
82aee53a316b08983aded44af3c849535f84aedde559985f7fe952edc7c2c3d2

SHA512
a06969ac72f56f0bd0a75e4d16b934d67003b7e9b08b739c2b972c428609e21bd84a5401787009ab22f3b1ab454b857a51a785179742abb18ff5020619955f7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bb0603f8640087b691c2b36d912b0392

SHA1
73ca4d34e81e488da7c5e1fa6afee97453145653

SHA256
c31c924c21aeac03f9afdb8586a435fa8c9f5d581aa1b42f5f1d0bb5790aac94

SHA512
99b776c926a398d83fe4a1202a2ea34311b88fde1d29538e7c238521fa3b711eac72efd02a0cbe55e8a14684406f8586df1ef64df31d7bdb9140d49170b45b50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d8151bbac27c5124840ce082462f5d67

SHA1
282303edcf232012c69f0ad743ba7c617e7d08df

SHA256
0497161897321998556ba9f9cc85f74bf96d9786a51d29b67730e8589fbd63ec

SHA512
2de3c22914955c010df0ed2fb97482729527add162e12ac04c42bdeb706a572751461e8a4aee3766baa0c8ac6e71ff7b6b62b8b3ade5a1ef3c5bfcd1e41c3f5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
11KB

MD5
e18a9cdc9c0ce0ff4717287678ae863f

SHA1
7fdc7eda1db64560c5a72e4c1f8ef8280d96aa42

SHA256
6791fb3bad0f67a943555c766a126296acc425cebd99fa563d0e938ae5639e7b

SHA512
1c0e068a5b6e5d1441d2acca2e32adac13fca96ad7af16d9f6b3268f9bceb8554a4d62351398d9de17b3ecae861e4219a9625329d6021ba75218fdcc08591088

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c5116ff8-2f8a-46bb-98f7-075202b79d3d.tmp

Filesize
5KB

MD5
929f97c1c947a456f77ac063c17bf638

SHA1
c7dc49b9709221b0a283702fdbb62a97bc3ff5ea

SHA256
3344d838f95482fdc701f934e582eb5c15abc00722eefb91c33b6a8cdd76b981

SHA512
25034553654c5fd4f8654c3ec930b3b2876d43e11b94ea01851f668dee2ace53871660238a788b277e792c08f8595c54d2fff33f7e2c01ad492a2fb0ab87953f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
43d20b5962af96489953e153e4f765d9

SHA1
6d59a8d5d8a15d119c942afb9c156faa8ef922a9

SHA256
dc02e649d40e66a623881c16d5828291ada3e9485c08c3c6d24e3f6c38f97438

SHA512
85cf42dee79dde9c54733e74dac2c4d7d437ed3caa8c4265e9cbe279baa962b92e252ce68e09e0b791f47f901ae43630932802da7cd25f7e969df9a718eb985b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit