8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Size

1.5MB
MD5

c6fb49e008a24022c9d182158cfe2f68
SHA1

11afa4de64eccd2707679c220201ecca221587fa
SHA256

8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db
SHA512

4bf2f89fd43990840719101d822caba9351e49d404e14780411cb9f7728122b56a63a519fc864177948019efb02b89649242e15e318f245ddbde990284acc2b3
SSDEEP

24576:7GU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRTZ5hHSr:KpEUIvU0N9jkpjweXt7715JC

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 iplogger.org
4 iplogger.org

flow	ioc
5	iplogger.org
4	iplogger.org

Drops file in Program Files directory 10 IoCs

Processes:

8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe

description	ioc	process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1692 taskkill.exe

pid	process
1692	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133618554320911518"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

1948 chrome.exe
1948 chrome.exe
3704 chrome.exe
3704 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1948 chrome.exe
1948 chrome.exe
1948 chrome.exe
1948 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeAssignPrimaryTokenPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeLockMemoryPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeIncreaseQuotaPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeMachineAccountPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeTcbPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeSecurityPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeTakeOwnershipPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeLoadDriverPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeSystemProfilePrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeSystemtimePrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeProfSingleProcessPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeIncBasePriorityPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeCreatePagefilePrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeCreatePermanentPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeBackupPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeRestorePrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeShutdownPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeDebugPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeAuditPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeSystemEnvironmentPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeChangeNotifyPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeRemoteShutdownPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeUndockPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeSyncAgentPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeEnableDelegationPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeManageVolumePrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeImpersonatePrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeCreateGlobalPrivilege	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: 31	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: 32	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: 33	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: 34	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: 35	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe
Token: SeCreatePagefilePrivilege	1948	chrome.exe
Token: SeShutdownPrivilege	1948	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.execmd.exechrome.exe

description	pid	process	target process
PID 4904 wrote to memory of 3220	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe	cmd.exe
PID 4904 wrote to memory of 3220	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe	cmd.exe
PID 4904 wrote to memory of 3220	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe	cmd.exe
PID 3220 wrote to memory of 1692	3220	cmd.exe	taskkill.exe
PID 3220 wrote to memory of 1692	3220	cmd.exe	taskkill.exe
PID 3220 wrote to memory of 1692	3220	cmd.exe	taskkill.exe
PID 4904 wrote to memory of 1948	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe	chrome.exe
PID 4904 wrote to memory of 1948	4904	8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe	chrome.exe
PID 1948 wrote to memory of 1576	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1576	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 1188	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 2936	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 2936	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe
PID 1948 wrote to memory of 4032	1948	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe
"C:\Users\Admin\AppData\Local\Temp\8209c631b932572ba990ed04dee8223af8adaba8a355298110e042eb8efee2db.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8100fab58,0x7ff8100fab68,0x7ff8100fab78
    3⤵
    PID:1576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1908,i,8768970169404925010,10534677614717393627,131072 /prefetch:2
    3⤵
    PID:1188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1908,i,8768970169404925010,10534677614717393627,131072 /prefetch:8
    3⤵
    PID:2936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2244 --field-trial-handle=1908,i,8768970169404925010,10534677614717393627,131072 /prefetch:8
    3⤵
    PID:4032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2892 --field-trial-handle=1908,i,8768970169404925010,10534677614717393627,131072 /prefetch:1
    3⤵
    PID:3980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1908,i,8768970169404925010,10534677614717393627,131072 /prefetch:1
    3⤵
    PID:3460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3840 --field-trial-handle=1908,i,8768970169404925010,10534677614717393627,131072 /prefetch:1
    3⤵
    PID:3552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3580 --field-trial-handle=1908,i,8768970169404925010,10534677614717393627,131072 /prefetch:1
    3⤵
    PID:868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1908,i,8768970169404925010,10534677614717393627,131072 /prefetch:8
    3⤵
    PID:2896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1908,i,8768970169404925010,10534677614717393627,131072 /prefetch:8
    3⤵
    PID:4488
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1908,i,8768970169404925010,10534677614717393627,131072 /prefetch:8
    3⤵
    PID:2108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5080 --field-trial-handle=1908,i,8768970169404925010,10534677614717393627,131072 /prefetch:8
    3⤵
    PID:4872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1908,i,8768970169404925010,10534677614717393627,131072 /prefetch:8
    3⤵
    PID:4272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1908,i,8768970169404925010,10534677614717393627,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3704

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
9e739e3b5afc8a98f4b49812cbba37a0

SHA1
fda963240b441d79aa42d72c3a7321d7b02f982e

SHA256
e69aa8c04033f13be304da81a42fb3daa730148c1de438daaae9d3aa94f75621

SHA512
9536c6fdd6fa530ad7aecee3b09cee1ea9dc86777a0fffafa925e07217ea221835c22726baf5f04e234eb71acceaa9f611cf22198fe18a690526740148bdf409

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\12837440-f2fb-4457-8c9d-035e6058d4e0.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
5f262d9cc1769260c83ce30636db337e

SHA1
ef990720d4029d801b0465b88be38c3bc15d1d42

SHA256
b473d661c486e2f7bf9ee8fd5e12ee3b0211a1e4012b4ad401d1b52a6061d6c9

SHA512
662d21cc8d6d5ac008b06a259a0f649af4c044eaeb28ea56a244c4d7c51e58afa387b22b20960d01ae1ea00565e46369436351b8391f90111977048c2deafeec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
449d9b5d468b168a61556569c6d672cb

SHA1
e1c5dbfd1de56a11ba665b5fcda2628740c554cd

SHA256
aa57eeeca2594ca093e10614f292d84500efd91c02a7a3a65cbb717d216175fe

SHA512
72867cb2b52e783acb861b8cc8a491a4c26a71e50ac4a48bd31f46ce4580858dd7cbc07eb7f20523f3459b485efac0af409b5fe02f1e93dd25267ec008cd997d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
152f3de11686d231d58ba630815b2d7d

SHA1
6de10cc6f8dd2e25b62f4cfb9ab006dcf615bdc7

SHA256
b8c510a42dbd7517c5e80374e65662ad873cab368d9f2aba10c8a06e7975c313

SHA512
3de7d62dde588fa7d9d5ddf4fbee16699cf5de5bc4eb22ee31e0fc661e6aa33b7d60e049f2d32e0313fb02ea994423484e7297d1d2132daab3a01c3e44d98c67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
1eb1dac4373b0accb6958f7a8a7aeb00

SHA1
4987e7578d0e577324abac16ded3eb567d02cb99

SHA256
2544552c3865d65ae0f2abf43a817b40c6dafaf4bfeb58f7c5abd9dbd7434c34

SHA512
b33efb1b08652a7719d89dfc5763bb4b6502a88b2069c4dc0652b735802e53d7972c0f48e8e327a08d027253647734d5f0c4610ef41227b46a4eddaca1846034

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
6088e46c47ad2de4ca7eada252417b96

SHA1
7a96ebbba5c0be3b1063fe60a60cbd60b65d274a

SHA256
36b096be9a5bd69a0852756ebe7bbbce7ee3000e9b0f9844b51e700929dc15bb

SHA512
605974a7eb36df7569a0d953c520d0ca51ed54298acb90edf185b179f075725196ce83350b2cb0556c1cc46a92b88f399722da855fcfcc64e6519d27fd737a89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0aa3c17a90fef9dcb1810214c3a575d5

SHA1
af215ed4bed863f0b4b348c3ea3efa1228c1189f

SHA256
67076cd2ea04fa1433956cb0a94d886e72d8bbad7808501545e1cce41492d5e7

SHA512
895fcb6e3baaee88b3f01ef0d24b9eba661a0af7c690414a88ffb1c3fb9b4faf7c032acad146a42053791256f2b282890b01ec15d98c7f2578b9ac37fef582b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
478db5d599acc622cf74e8dfd7017e46

SHA1
3ab24aaa807c49cf5df34367a8c0f28e6a5e6f91

SHA256
f3a9191ad2e387ea13dabb2535c4d1d6facbdbd052c786ae0806533c16ae9b2e

SHA512
1820ffe6fc6c9bea177a210abb1affdb591a8b04b28a9d81926b22f41ddef020bcf414e1aa457246799b1b3272c6fb5e5ec14bf6b8ae57c64e321fd7d91d5f2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
828bceb3dc2ce51a99b32aff0336fd15

SHA1
67ee29eb3cbe53aa07e86856b9ba76a00bb90094

SHA256
99b187af3ea03fc495ce6d2a1feda5a9a08355b0334780b0bb1305b21e1b5076

SHA512
c18c654ff2a5fafd2e776be9c2fba328f60d982de5c0b2e3ede3e2df2d9c6c5fd3881718cda54018ead316f4b97993f8e8bb8a8209d1250c204318b591af07d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
9ea30262c1fe982a89f8e78e878790c8

SHA1
fcffdc12e58abc63c93fbd91fd9981004679d1de

SHA256
d0cdce13494b6fe667a1bdf434dca245ee68892a8433ed98da30c2cd140c3aa7

SHA512
790297ad057b2f41c29aeac057ada5ad765f3ba4a254d9f4d63812e51286d7c250e329044e41a63cca56fd0ee7c0441918ea01a1cc8f2744ee57f0f271c6a954

Download Submit
\??\pipe\crashpad_1948_PHGRSQBSGISKXCLO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit