phorphiex | 794d7a6997fe076aebd016658a0f2fffc19546c899a9b220af921eecf4bc0a3e

General

Target

1694521508.bin.exe
Size

100KB
MD5

ee0a1ec859b753abc30847157d81f37c
SHA1

2fd868d94c6dc063ca49c767c873505fbc87dcd9
SHA256

abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922
SHA512

6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Score

10^/10

phorphiex evasion loader persistence trojan worm

Malware Config

Signatures

Phorphiex Payload 3 IoCs

Processes:

resource	yara_rule
\19384107851087\lsass.exe	family_phorphiex
C:\19384107851087\lsass.exe	family_phorphiex
C:\19384107851087\lsass.exe	family_phorphiex

Phorphiex Worm
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112
Executes dropped EXE 1 IoCs

Processes:

lsass.exe

pid process

2740 lsass.exe
Loads dropped DLL 1 IoCs

Processes:

1694521508.bin.exe

pid process

368 1694521508.bin.exe

pid	process
2740	lsass.exe

pid	process
368	1694521508.bin.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

lsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	lsass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1694521508.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\19384107851087\\lsass.exe"	1694521508.bin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\19384107851087\\lsass.exe"	1694521508.bin.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe

pid process

1552 chrome.exe
640 chrome.exe
640 chrome.exe
436 chrome.exe
2392 chrome.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

chrome.exenotepad.exe

pid process

640 chrome.exe
640 chrome.exe
640 chrome.exe
1392 notepad.exe
640 chrome.exe

pid	process
1552	chrome.exe
640	chrome.exe
640	chrome.exe
436	chrome.exe
2392	chrome.exe

pid	process
640	chrome.exe
640	chrome.exe
640	chrome.exe
1392	notepad.exe
640	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 640 wrote to memory of 1348	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1348	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1348	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 904	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1552	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1552	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1552	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe
PID 640 wrote to memory of 1028	640	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\1694521508.bin.exe
"C:\Users\Admin\AppData\Local\Temp\1694521508.bin.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
PID:368

C:\19384107851087\lsass.exe
C:\19384107851087\lsass.exe
2⤵
- Executes dropped EXE
- Windows security modification
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5f74f50,0x7fef5f74f60,0x7fef5f74f70
2⤵
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1176 /prefetch:2
2⤵
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1672 /prefetch:8
2⤵
PID:1028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1256 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2144 /prefetch:1
2⤵
PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1
2⤵
PID:268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:1
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
2⤵
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
2⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3024 /prefetch:2
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
2⤵
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:1
2⤵
PID:364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1
2⤵
PID:612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2324 /prefetch:1
2⤵
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
2⤵
PID:1332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2228 /prefetch:1
2⤵
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5712 /prefetch:8
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5724 /prefetch:8
2⤵
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5684 /prefetch:8
2⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5816 /prefetch:8
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5808 /prefetch:8
2⤵
PID:2460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:8
2⤵
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5736 /prefetch:8
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5788 /prefetch:8
2⤵
PID:2664

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
2⤵
PID:2568

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13f9ca890,0x13f9ca8a0,0x13f9ca8b0
3⤵
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3092 /prefetch:8
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3112 /prefetch:8
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3188 /prefetch:8
2⤵
PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3004 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3224 /prefetch:8
2⤵
PID:2876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3284 /prefetch:8
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:8
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
2⤵
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:8
2⤵
PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4548 /prefetch:8
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4424 /prefetch:8
2⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3392 /prefetch:8
2⤵
PID:2572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5008 /prefetch:8
2⤵
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
2⤵
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4600 /prefetch:8
2⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4628 /prefetch:8
2⤵
PID:1880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
2⤵
PID:384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
2⤵
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4536 /prefetch:8
2⤵
PID:2712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4380 /prefetch:8
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5180 /prefetch:8
2⤵
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:8
2⤵
PID:2296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4236 /prefetch:8
2⤵
PID:2612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1548 /prefetch:8
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
2⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:8
2⤵
PID:2696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:8
2⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3348 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=496 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
2⤵
PID:2712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
2⤵
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1148,17398101964236773033,946383358549915118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4008 /prefetch:8
2⤵
PID:1976

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\19384107851087\lsass.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\19384107851087\lsass.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
8ef2d083072bdb7f70fd3e9255a00f29

SHA1
6f578b9bba9f1cc54f6644ac8ea5e978b68a3f28

SHA256
dcee26847600906f0e6791e53875c81ab9772b6e18f102acbe09a18d74be4e9a

SHA512
b9d40a8d2bd527405665f302ad5d8e96bbda26e6eafb6cf56f1108448f97e843b98bc733a99198cecf4bff3e6f8225a9bb65acd3267f25896cd7b32c2ccefa5e

Download Submit
\19384107851087\lsass.exe
MD5
ee0a1ec859b753abc30847157d81f37c

SHA1
2fd868d94c6dc063ca49c767c873505fbc87dcd9

SHA256
abf63fc54948cdd9d1bf46a2f59fcb081bb0ff10b595f0ba2faad392ad368922

SHA512
6ba490cad428176d4235241ab96d741121e608f3fcf156c4a8ba0b106c640ac392ef4f74e0b11f5c56c3829e8566a613676dbef812e1e89c248c40338331bfdc

Download Submit
\??\pipe\crashpad_640_ZSFNPUKUPSSVSZJJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/268-72-0x0000000000000000-mapping.dmp

Download
memory/364-105-0x0000000000000000-mapping.dmp

Download
memory/368-60-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/384-176-0x0000000000000000-mapping.dmp

Download
memory/436-156-0x0000000000000000-mapping.dmp

Download
memory/612-108-0x0000000000000000-mapping.dmp

Download
memory/640-86-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/904-66-0x00000000776F0000-0x00000000776F1000-memory.dmp

Filesize
4KB

Download
memory/904-64-0x0000000000000000-mapping.dmp

Download
memory/908-178-0x0000000000000000-mapping.dmp

Download
memory/956-177-0x0000000000000000-mapping.dmp

Download
memory/1028-69-0x0000000000000000-mapping.dmp

Download
memory/1324-174-0x0000000000000000-mapping.dmp

Download
memory/1332-115-0x0000000000000000-mapping.dmp

Download
memory/1348-61-0x0000000000000000-mapping.dmp

Download
memory/1392-113-0x000007FEFBDC1000-0x000007FEFBDC3000-memory.dmp

Filesize
8KB

Download
memory/1420-111-0x0000000000000000-mapping.dmp

Download
memory/1552-65-0x0000000000000000-mapping.dmp

Download
memory/1880-175-0x0000000000000000-mapping.dmp

Download
memory/1940-173-0x0000000000000000-mapping.dmp

Download
memory/1976-192-0x0000000000000000-mapping.dmp

Download
memory/2076-75-0x0000000000000000-mapping.dmp

Download
memory/2176-189-0x0000000000000000-mapping.dmp

Download
memory/2180-121-0x0000000000000000-mapping.dmp

Download
memory/2192-185-0x0000000000000000-mapping.dmp

Download
memory/2212-124-0x0000000000000000-mapping.dmp

Download
memory/2236-78-0x0000000000000000-mapping.dmp

Download
memory/2240-164-0x0000000000000000-mapping.dmp

Download
memory/2260-81-0x0000000000000000-mapping.dmp

Download
memory/2272-130-0x0000000000000000-mapping.dmp

Download
memory/2296-182-0x0000000000000000-mapping.dmp

Download
memory/2320-83-0x0000000000000000-mapping.dmp

Download
memory/2324-166-0x0000000000000000-mapping.dmp

Download
memory/2348-88-0x0000000000000000-mapping.dmp

Download
memory/2352-169-0x0000000000000000-mapping.dmp

Download
memory/2364-158-0x0000000000000000-mapping.dmp

Download
memory/2380-90-0x0000000000000000-mapping.dmp

Download
memory/2392-188-0x0000000000000000-mapping.dmp

Download
memory/2400-180-0x0000000000000000-mapping.dmp

Download
memory/2420-184-0x0000000000000000-mapping.dmp

Download
memory/2432-118-0x0000000000000000-mapping.dmp

Download
memory/2448-136-0x0000000000000000-mapping.dmp

Download
memory/2460-133-0x0000000000000000-mapping.dmp

Download
memory/2496-187-0x0000000000000000-mapping.dmp

Download
memory/2508-181-0x0000000000000000-mapping.dmp

Download
memory/2516-148-0x0000000000000000-mapping.dmp

Download
memory/2544-154-0x0000000000000000-mapping.dmp

Download
memory/2568-144-0x0000000000000000-mapping.dmp

Download
memory/2572-171-0x0000000000000000-mapping.dmp

Download
memory/2576-168-0x0000000000000000-mapping.dmp

Download
memory/2604-172-0x0000000000000000-mapping.dmp

Download
memory/2612-183-0x0000000000000000-mapping.dmp

Download
memory/2648-139-0x0000000000000000-mapping.dmp

Download
memory/2660-170-0x0000000000000000-mapping.dmp

Download
memory/2664-142-0x0000000000000000-mapping.dmp

Download
memory/2668-167-0x0000000000000000-mapping.dmp

Download
memory/2696-186-0x0000000000000000-mapping.dmp

Download
memory/2712-179-0x0000000000000000-mapping.dmp

Download
memory/2712-190-0x0000000000000000-mapping.dmp

Download
memory/2720-94-0x0000000000000000-mapping.dmp

Download
memory/2740-97-0x0000000000000000-mapping.dmp

Download
memory/2756-191-0x0000000000000000-mapping.dmp

Download
memory/2768-145-0x0000000000000000-mapping.dmp

Download
memory/2860-151-0x0000000000000000-mapping.dmp

Download
memory/2876-160-0x0000000000000000-mapping.dmp

Download
memory/2900-127-0x0000000000000000-mapping.dmp

Download
memory/3000-102-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads