eec0c93e748bc4743d04a0d092cc9109e30e03e63f69c35a2724e43f7ecb3044

Resubmissions

21-08-2024 09:31

240821-lhklrs1clc 10

15-03-2023 13:27

230315-qqcy4sdc65 10

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Size

1.4MB
MD5

ec0eaaf2f6c0a07dbc2b91222654f40e
SHA1

7b3b71146dc254b5af567c6d78854e4c3d4f2f85
SHA256

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f
SHA512

0bf772eca332e741199197a8de59dbf117e0ec8bf249c78d3d900a8ba374453dcfce5d11224a4a08476ec333deb0604392245d08abb6072bd729b495ce6ced27
SSDEEP

24576:8GU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRDY5hoSQ:XpEUIvU0N9jkpjweXt77E5WF

Score

9^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

7 iplogger.org
8 iplogger.org

flow	ioc
7	iplogger.org
8	iplogger.org

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Drops file in Program Files directory 10 IoCs

Processes:

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe

description	ioc	process
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.execmd.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1224 taskkill.exe

pid	process
1224	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133687063368287087"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

4584 chrome.exe
4584 chrome.exe
3812 chrome.exe
3812 chrome.exe
3812 chrome.exe
3812 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

4584 chrome.exe
4584 chrome.exe
4584 chrome.exe
4584 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeAssignPrimaryTokenPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeLockMemoryPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeIncreaseQuotaPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeMachineAccountPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeTcbPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSecurityPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeTakeOwnershipPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeLoadDriverPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSystemProfilePrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSystemtimePrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeProfSingleProcessPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeIncBasePriorityPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeCreatePagefilePrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeCreatePermanentPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeBackupPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeRestorePrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeShutdownPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeDebugPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeAuditPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSystemEnvironmentPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeChangeNotifyPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeRemoteShutdownPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeUndockPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeSyncAgentPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeEnableDelegationPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeManageVolumePrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeImpersonatePrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeCreateGlobalPrivilege	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 31	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 32	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 33	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 34	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: 35	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe
Token: SeCreatePagefilePrivilege	4584	chrome.exe
Token: SeShutdownPrivilege	4584	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe
4584	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.execmd.exechrome.exe

description	pid	process	target process
PID 4064 wrote to memory of 2868	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	cmd.exe
PID 4064 wrote to memory of 2868	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	cmd.exe
PID 4064 wrote to memory of 2868	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	cmd.exe
PID 2868 wrote to memory of 1224	2868	cmd.exe	taskkill.exe
PID 2868 wrote to memory of 1224	2868	cmd.exe	taskkill.exe
PID 2868 wrote to memory of 1224	2868	cmd.exe	taskkill.exe
PID 4064 wrote to memory of 4584	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	chrome.exe
PID 4064 wrote to memory of 4584	4064	7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe	chrome.exe
PID 4584 wrote to memory of 8	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 8	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 4824	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2540	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 2540	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe
PID 4584 wrote to memory of 392	4584	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe
"C:\Users\Admin\AppData\Local\Temp\7d19bc98d145f06e50022ba7733e9478c96f8856159a502fb13bb5da1b45a15f.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcc7a8cc40,0x7ffcc7a8cc4c,0x7ffcc7a8cc58
    3⤵
    PID:8
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,1791407269934251830,5460128962833116246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1892 /prefetch:2
    3⤵
    PID:4824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,1791407269934251830,5460128962833116246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2140 /prefetch:3
    3⤵
    PID:2540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,1791407269934251830,5460128962833116246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2320 /prefetch:8
    3⤵
    PID:392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3152,i,1791407269934251830,5460128962833116246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
    3⤵
    PID:3288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,1791407269934251830,5460128962833116246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:4676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3896,i,1791407269934251830,5460128962833116246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3912 /prefetch:2
    3⤵
    PID:900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4772,i,1791407269934251830,5460128962833116246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4660 /prefetch:1
    3⤵
    PID:3220
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5108,i,1791407269934251830,5460128962833116246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5016 /prefetch:8
    3⤵
    PID:440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,1791407269934251830,5460128962833116246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5012 /prefetch:8
    3⤵
    PID:1500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5016,i,1791407269934251830,5460128962833116246,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5408 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3812

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png

Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js

Filesize
20KB

MD5
9dd512a05cd8f6bddddf653f6a04556b

SHA1
eef5515f4881ca55817ebd7b0cc29203ef92885f

SHA256
2cbb8e0230ad27530487428bc798a9d9afa52f8acd00faf762cf532a89c23636

SHA512
aed8f070f8d29f65cc972f5ca78904da794ce645c1e06f379c9980a19287dd901b2a12417f5913cafa68bfd5abd6f9de49c4cb4ad3ec1792489a2520f879b683

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js

Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json

Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0c723766-a2fd-45e4-9fb6-b49521b1cdb6.tmp

Filesize
201KB

MD5
ed922e62abed80691962da14102199e2

SHA1
d1cba9e3237b6dc50a03eb3c90286bb7c3630bef

SHA256
68b4390cd8b1c319b37594e9975e0ad1def552d519aa2882d49e4333e018b77b

SHA512
2cbeef64640ead439dbd95d1ea86ab263f7d6b1a53ff790c6826764bc4b7deca3d1f18ea1db3ff7d86b01d2c925dfd3aeb8b376122a9488def57e31564f2bac8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0637bfcf39941e71ee3673daa039335f

SHA1
591d850ada4f1bd4cac855efff64aac80b839cf2

SHA256
675808c00191bfb1614d3a6425daf8c5c0406f6b3e5a63121d9df332426ec558

SHA512
58d7ea6ca3307fe8fb3cbe1a25adf849aa613dbf457a0ec25db01b3fe073368a2383733614d6ae78a8bcd2542f12cd171d839c55c56ba8eef0f34c07889e0d2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
84dd44a8672601a73c112b0cace57869

SHA1
3e4fc8e721a0bb17c9ab6c80d5275a03e1b38820

SHA256
44dc7a7abf7c300fd04da7fc2fff819a15dd35b4f5c324ad1cf19b84a6817d17

SHA512
3d86c7d7ce8800b95270550d098c0ea14df5c706bfe93f05ef0284c1e46430af3a63beaae8f93131749bab0330f7daf899bd1e5e89dba5c0b0ab21fe5af2273a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8a337a781c3518c39f19fc04ecbeae0c

SHA1
fefd035ef7a8b79fc66704b3cae21be6a0d048a0

SHA256
5880fac83f1594f310cf07223ca1fd78fbc301755f27297968f48fb953bf122a

SHA512
7ba46ab0c27d0d392e34e7846a19de8282c1e7c383c455a5d863d4569218f722b2c22efd548a58196899f6d9781ba5b3af8a742d97eae92a7ffcb9872ac7389d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
4a91b48761ff07e12cb1996f1b77a40b

SHA1
24f1081bc36fe13fd1649472c47ae9d98f5a537a

SHA256
e11b1b8cd478f8d2b2cb7e8695a52bd148ed8543d97740f526c701487fe715f0

SHA512
1901a81e58ee33f1844affe8708eb00a733f987d1cbd5dc6b137006195b4f3191da02753b7a8e285056400632cced0c49081409f1b9c008570d988d9b6bd154b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
b72274d79f16100dc056da3be024c860

SHA1
071abaae5d0ad0709248d4cf2292a87c10bd5f80

SHA256
a234fd8876e978081109328cec5968e7002fe449058097baa32819866b2e6319

SHA512
093d91d7aa47ca1643152c914fa19a6660db0b0dd261147c1abcf6dac41e31a7eddf3a1a95d5fbbfac7f087fc7b1f86a2fac427ee8a368d2c3a83649ad07a183

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
62bcd52e9d3595628671720429109035

SHA1
8198953503c9a521e1985a0dbd0a75b2da0e176e

SHA256
ddcc3da8108de21f132179486137fd7f8867fd56937ea921cf49a4b341d8be07

SHA512
151791c4dee9a31195cab6c2131650ceef6b7d54c023a88a2eb8f05d38acfca28835c1c03a0b5b9b84f65573fb699c15665c17a9c8ce6969faf08b48279c872e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
e41c77da2ae2c47fa7b735bb751297cc

SHA1
0e6d1a2434b8cbdf13f9501b8fd8deb97dd2050b

SHA256
9017daf918ccf2ab27cfcfa35c49edb9d6121d2ba3936bc4a66a2eea4a2e905e

SHA512
33dc5036095e3c63d052d65dad8a14cec931661f5ed06ca79268065d8ca04843cc0ba7cd1d37c9c6b4b8010ac895dd4331f6e3660a0fcdcc604614f54ae6302f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee1360d204f21707d7e53bdc9749880c

SHA1
a53030dbf4812a0ddd02f5574742e5c6cc346c53

SHA256
3142df97b726b6aa3ab80e02c8e339430b082fe7184f78ead00507151475c43f

SHA512
5b9428947e2061c8d89484564f48c83a256234b4538cf63ec0e7042e549395305fbc4201c451b9da5b2f7c8e2580836fb5f7a6240cf6407b6294d09166afdc28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
19f2a41289436f360ebdbcc3cf9617c2

SHA1
8714665caf52eaae43b62589e9066d571bb7a7ba

SHA256
aea76232dfec116c6a70ed566c1c14c529d1f379495b425699a43ddd3c4b2181

SHA512
a923c67f393a5d2226f0be672def33128c7afb910369992ee7ccf60ac2c057528ce4d07127f19ab24b707818adac77ee32950b37e711131fff45f1018ddedb7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7510b6146d82f12d8c23130b7d56c030

SHA1
ed7f88fa02de8cf0b8c1813c7379274e9fd01275

SHA256
d692e2121c43ebd82609e0a4ec68224263f325f201feaae04aa5c00591cad293

SHA512
fee82ef7e266acabe0801515a830e04051a8ec699704d9032713924c4d042a6627f91498b27026e106f495de605368f67940c762cb5c443c983798b1099b6387

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
deade9663f49d4e8cf9100cffb0bc4c8

SHA1
52695a1a011bec6d532003bcb4f95eb4f86c09a9

SHA256
eb932822902abec59bf193303582ccc5dc1219a6f54190038c4b0af11096641d

SHA512
31366273c873b44ab16001c8c5e6d28810b65244feb845594846407e3240895dcc477c1b3bf86fbc63d13027919bc6a9f8df664b0f485e56f39c7bcef1a8a782

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
252bf23dd975bb46cb074c734ae98f96

SHA1
d5881226fe7d4cddf74dae9e77792ca8af93e4ed

SHA256
9c9d080cd1304196b1864ec2f3d2a7c383d3b8e9e274aed0b22097c0ca24a44d

SHA512
45f43918f66012d902b7f064a200a680968101ff6b82f87c5b267c5d487aa858bbd8f0c2055b1ed35af7e7d05f96226eab38e0bcf4f85e9cc635defc59cb9ef6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
225d5bb6a0902ca2a950f85501f1f7ac

SHA1
dcba21420758d1dcdd834617707eb3e30d669c6b

SHA256
61cdb22fb3c8b2421e9ca02bbf3a59c8ecf029523f25a3c6fdce182812dc7455

SHA512
6287ab006292b3dab2ee48f2ad857d17732bb96e3fc38c513b6abb5e38192e62f17cf9a8e7401479b0cfe2b3d3721686cf432938f8e3b81875fed493ac44953a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6649c8c2a4da32f0013ed28ad6099d25

SHA1
fabe2990807bd827a15144f3f5cf04683f262723

SHA256
b2ec283a2110d8c8aa8badbd586f6be2d0c9a03658c05308248c38196c7cb0a9

SHA512
c0a8a671dc63ea57b22af078cf33b5d9353770f59e34b8e97446254e99b635a2f451939d74ecbed0518647caa01fc383627391a92d9636347ffe69a6cd7bec98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
fe051b6992004218a5d495d14b40311e

SHA1
9ac2fd7a3db978faabf632d68b6a6a049350a2eb

SHA256
b35c3ff17c3bc8bffe59281770d11b8779a670ffc4db90f462a69ebe957be691

SHA512
de027841e775c42ed7d7f6c8117f3a677b7720e7c37f48cd2aa61c340c036785388714d659c18e04af29fcbfe07b9c82269860057ab32b5d622445fcbdabcddf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
7b2b6fff95a964d74f7804eec185e133

SHA1
99429a651908b74899810b6b434b7a5c09371c64

SHA256
f56922968c06e3998176d505a38df14e0d105471c200cad8f6ffc7ec89f5f6ce

SHA512
cd70cac1b844bb3ea035f6ebe2e634b2f37dd7128c004a0f8d290b62e813357083a8df4f13a7ee99cfc22b5333fc4ba9965598e1f4de05e19266332b6c04436b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
201KB

MD5
651b6689766bfc0731a2a17c12df0378

SHA1
bb804c45f73d5de40838737f171ec4563b94a556

SHA256
6ae15c44215d43e8116091e0adb515ec233053c8d102733305877245744c310f

SHA512
4af81df39583fde0873317b8655d8d8ed9b460ed7db25901b2b24d79a78410147e3acf1d7419ba0293c59acc63108791ef60e708c8bbcaf0e599f5c001bd83f7

Download Submit
\??\pipe\crashpad_4584_IITIWBLQWZVXRVGQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit