https://disk.yandex.ru/d/pMMry2jiGDoGYg

General
Target

https://disk.yandex.ru/d/pMMry2jiGDoGYg

Filesize

N/A

Completed

27-07-2021 15:37

Score
10 /10
Malware Config
Signatures 13

Filter: none

Defense Evasion
Discovery
Persistence
  • NanoCore

    Description

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

  • Executes dropped EXE
    loader.exeloader.exeloader.exeloader.exeloader.exeloader.exeloader.exeloader.exe

    Reported IOCs

    pidprocess
    3684loader.exe
    5104loader.exe
    4968loader.exe
    4916loader.exe
    812loader.exe
    4724loader.exe
    2220loader.exe
    1456loader.exe
  • Adds Run key to start application
    loader.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ISS Manager = "C:\\Program Files (x86)\\ISS Manager\\issmgr.exe"loader.exe
  • Checks whether UAC is enabled
    loader.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAloader.exe
  • Drops file in Program Files directory
    chrome.exeloader.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Google\Chrome\Application\89.0.4389.114\loader.exechrome.exe
    File createdC:\Program Files (x86)\ISS Manager\issmgr.exeloader.exe
    File opened for modificationC:\Program Files (x86)\ISS Manager\issmgr.exeloader.exe
  • Creates scheduled task(s)
    schtasks.exeschtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    4400schtasks.exe
    4252schtasks.exe
  • Enumerates system info in registry
    chrome.exe

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOSchrome.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturerchrome.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductNamechrome.exe
  • Modifies registry class
    7zFM.exechrome.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance7zFM.exe
    Key created\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settingschrome.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance7zFM.exe
  • Suspicious behavior: EnumeratesProcesses
    chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

    Reported IOCs

    pidprocess
    4060chrome.exe
    4060chrome.exe
    2184chrome.exe
    2184chrome.exe
    4872chrome.exe
    4872chrome.exe
    5028chrome.exe
    5028chrome.exe
    4284chrome.exe
    4284chrome.exe
    4416chrome.exe
    4416chrome.exe
    3768chrome.exe
    3768chrome.exe
  • Suspicious behavior: GetForegroundWindowSpam
    7zFM.exe

    Reported IOCs

    pidprocess
    48887zFM.exe
  • Suspicious use of AdjustPrivilegeToken
    7zFM.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeRestorePrivilege48887zFM.exe
    Token: 3548887zFM.exe
    Token: SeSecurityPrivilege48887zFM.exe
  • Suspicious use of FindShellTrayWindow
    chrome.exe7zFM.exe

    Reported IOCs

    pidprocess
    2184chrome.exe
    2184chrome.exe
    2184chrome.exe
    2184chrome.exe
    2184chrome.exe
    2184chrome.exe
    2184chrome.exe
    2184chrome.exe
    2184chrome.exe
    2184chrome.exe
    2184chrome.exe
    2184chrome.exe
    48887zFM.exe
    48887zFM.exe
    2184chrome.exe
  • Suspicious use of WriteProcessMemory
    chrome.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2184 wrote to memory of 5842184chrome.exechrome.exe
    PID 2184 wrote to memory of 5842184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 28042184chrome.exechrome.exe
    PID 2184 wrote to memory of 40602184chrome.exechrome.exe
    PID 2184 wrote to memory of 40602184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
    PID 2184 wrote to memory of 39922184chrome.exechrome.exe
Processes 75
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" https://disk.yandex.ru/d/pMMry2jiGDoGYg
    Enumerates system info in registry
    Modifies registry class
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of FindShellTrayWindow
    Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ff978724f50,0x7ff978724f60,0x7ff978724f70
      PID:584
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
      PID:2804
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1704 /prefetch:8
      Suspicious behavior: EnumeratesProcesses
      PID:4060
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:8
      PID:3992
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:1
      PID:3356
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2836 /prefetch:1
      PID:3388
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
      PID:680
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
      PID:2320
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
      PID:2008
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
      PID:3984
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5164 /prefetch:8
      PID:4504
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6356 /prefetch:8
      Drops file in Program Files directory
      PID:4652
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
      PID:4668
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6688 /prefetch:8
      Suspicious behavior: EnumeratesProcesses
      PID:4872
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6984 /prefetch:8
      PID:4948
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7120 /prefetch:8
      PID:5000
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7128 /prefetch:8
      PID:5052
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7120 /prefetch:8
      PID:5104
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7152 /prefetch:8
      PID:4152
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6984 /prefetch:8
      PID:4052
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7260 /prefetch:8
      PID:4428
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7252 /prefetch:8
      PID:4532
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7012 /prefetch:8
      PID:4056
    • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
      PID:4920
      • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
        "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff66547a890,0x7ff66547a8a0,0x7ff66547a8b0
        PID:4972
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
      Suspicious behavior: EnumeratesProcesses
      PID:5028
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5868 /prefetch:8
      PID:5076
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7268 /prefetch:8
      PID:3580
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7028 /prefetch:8
      PID:4484
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5744 /prefetch:8
      PID:4508
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5660 /prefetch:8
      PID:4692
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7296 /prefetch:8
      PID:2484
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3960 /prefetch:8
      PID:4872
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4276 /prefetch:8
      PID:5008
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4268 /prefetch:8
      PID:4532
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3352 /prefetch:8
      PID:5012
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5472 /prefetch:8
      PID:4420
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5444 /prefetch:8
      PID:4592
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5500 /prefetch:8
      PID:3840
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7864 /prefetch:8
      PID:4428
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7012 /prefetch:8
      PID:4468
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5272 /prefetch:8
      PID:4848
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8144 /prefetch:8
      PID:4720
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8400 /prefetch:8
      PID:4988
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8536 /prefetch:8
      PID:208
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8668 /prefetch:8
      PID:4012
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8788 /prefetch:8
      PID:5084
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8808 /prefetch:8
      PID:4628
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8820 /prefetch:8
      PID:4372
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8840 /prefetch:8
      PID:3508
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8852 /prefetch:8
      PID:2288
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8244 /prefetch:8
      PID:1408
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9484 /prefetch:8
      PID:2196
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
      PID:4224
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
      PID:4152
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
      PID:4704
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8492 /prefetch:8
      Suspicious behavior: EnumeratesProcesses
      PID:4284
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8308 /prefetch:1
      PID:4348
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7272 /prefetch:8
      Suspicious behavior: EnumeratesProcesses
      PID:4416
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8348 /prefetch:8
      Suspicious behavior: EnumeratesProcesses
      PID:3768
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7768 /prefetch:8
      PID:4504
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,13278734518931542861,18361099414645799667,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5500 /prefetch:8
      PID:5056
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    PID:476
  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Архив WinRAR.rar"
    Modifies registry class
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    PID:4888
  • C:\Users\Admin\Desktop\loader.exe
    "C:\Users\Admin\Desktop\loader.exe"
    Executes dropped EXE
    Adds Run key to start application
    Checks whether UAC is enabled
    Drops file in Program Files directory
    PID:3684
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "ISS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp73E9.tmp"
      Creates scheduled task(s)
      PID:4400
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "ISS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7486.tmp"
      Creates scheduled task(s)
      PID:4252
  • C:\Users\Admin\Desktop\loader.exe
    "C:\Users\Admin\Desktop\loader.exe"
    Executes dropped EXE
    PID:5104
  • C:\Users\Admin\Desktop\loader.exe
    "C:\Users\Admin\Desktop\loader.exe"
    Executes dropped EXE
    PID:4968
  • C:\Users\Admin\Desktop\loader.exe
    "C:\Users\Admin\Desktop\loader.exe"
    Executes dropped EXE
    PID:4916
  • C:\Users\Admin\Desktop\loader.exe
    "C:\Users\Admin\Desktop\loader.exe"
    Executes dropped EXE
    PID:812
  • C:\Users\Admin\Desktop\loader.exe
    "C:\Users\Admin\Desktop\loader.exe"
    Executes dropped EXE
    PID:4724
  • C:\Users\Admin\Desktop\loader.exe
    "C:\Users\Admin\Desktop\loader.exe"
    Executes dropped EXE
    PID:2220
  • C:\Users\Admin\Desktop\loader.exe
    "C:\Users\Admin\Desktop\loader.exe"
    Executes dropped EXE
    PID:1456
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

                      MD5

                      3e2a782e0c3a33c66acb563b192fac1d

                      SHA1

                      d1ed040cf8193be27e4fb8e9ee7f3c9488b62f28

                      SHA256

                      53029829959a0150440b7d14af98876a23b035ea8b27e14e86b9cbf70696b05a

                      SHA512

                      fd7e357309221b4f05206faafd2b1c78777444856a3420853f621d2102506d6438091c13c466d63a817cba18c00b9bbc5ca8c378fb3c9b2205db0eb0859750ed

                    • C:\Users\Admin\Downloads\Архив WinRAR.rar

                      MD5

                      d25dfa79f763617cb98b1fefe3a2ecf8

                      SHA1

                      26b7613c2a5e57e8ae180df192fe835ba053ae44

                      SHA256

                      2add003529319ac44133d4795f78d977b103685319db4d626fabe20a7ed5bb5c

                      SHA512

                      bb272363a91bda0c401a2d49a916fb4b10cb67110282d75edd1799cbc35dd9eaa5240087c4d252e849bc3ae201484c5ae3d128c5b9df5d826189f630c94ab246

                    • \??\pipe\crashpad_2184_KGDNRGPVNFSFIIHU

                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    • memory/208-340-0x0000000000000000-mapping.dmp

                    • memory/584-116-0x0000000000000000-mapping.dmp

                    • memory/680-144-0x0000000000000000-mapping.dmp

                    • memory/812-438-0x0000000002430000-0x0000000002431000-memory.dmp

                    • memory/1408-375-0x0000000000000000-mapping.dmp

                    • memory/1456-441-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

                    • memory/2008-155-0x0000000000000000-mapping.dmp

                    • memory/2196-380-0x0000000000000000-mapping.dmp

                    • memory/2220-440-0x0000000002550000-0x0000000002551000-memory.dmp

                    • memory/2288-367-0x0000000000000000-mapping.dmp

                    • memory/2320-149-0x0000000000000000-mapping.dmp

                    • memory/2484-275-0x0000000000000000-mapping.dmp

                    • memory/2804-123-0x00007FF98C450000-0x00007FF98C451000-memory.dmp

                    • memory/2804-121-0x0000000000000000-mapping.dmp

                    • memory/3356-132-0x0000000000000000-mapping.dmp

                    • memory/3388-138-0x0000000000000000-mapping.dmp

                    • memory/3508-363-0x0000000000000000-mapping.dmp

                    • memory/3580-255-0x0000000000000000-mapping.dmp

                    • memory/3684-432-0x0000000000A90000-0x0000000000A91000-memory.dmp

                    • memory/3768-419-0x0000000000000000-mapping.dmp

                    • memory/3840-310-0x0000000000000000-mapping.dmp

                    • memory/3984-162-0x0000000000000000-mapping.dmp

                    • memory/3992-126-0x0000000000000000-mapping.dmp

                    • memory/4012-345-0x0000000000000000-mapping.dmp

                    • memory/4052-221-0x0000000000000000-mapping.dmp

                    • memory/4056-236-0x0000000000000000-mapping.dmp

                    • memory/4060-122-0x0000000000000000-mapping.dmp

                    • memory/4152-392-0x0000000000000000-mapping.dmp

                    • memory/4152-216-0x0000000000000000-mapping.dmp

                    • memory/4224-385-0x0000000000000000-mapping.dmp

                    • memory/4252-434-0x0000000000000000-mapping.dmp

                    • memory/4284-405-0x0000000000000000-mapping.dmp

                    • memory/4348-409-0x0000000000000000-mapping.dmp

                    • memory/4372-356-0x0000000000000000-mapping.dmp

                    • memory/4400-433-0x0000000000000000-mapping.dmp

                    • memory/4416-415-0x0000000000000000-mapping.dmp

                    • memory/4420-300-0x0000000000000000-mapping.dmp

                    • memory/4428-226-0x0000000000000000-mapping.dmp

                    • memory/4428-315-0x0000000000000000-mapping.dmp

                    • memory/4468-320-0x0000000000000000-mapping.dmp

                    • memory/4484-260-0x0000000000000000-mapping.dmp

                    • memory/4504-423-0x0000000000000000-mapping.dmp

                    • memory/4504-176-0x0000000000000000-mapping.dmp

                    • memory/4508-265-0x0000000000000000-mapping.dmp

                    • memory/4532-231-0x0000000000000000-mapping.dmp

                    • memory/4532-290-0x0000000000000000-mapping.dmp

                    • memory/4592-305-0x0000000000000000-mapping.dmp

                    • memory/4628-353-0x0000000000000000-mapping.dmp

                    • memory/4652-181-0x0000000000000000-mapping.dmp

                    • memory/4668-184-0x0000000000000000-mapping.dmp

                    • memory/4692-270-0x0000000000000000-mapping.dmp

                    • memory/4704-399-0x0000000000000000-mapping.dmp

                    • memory/4720-330-0x0000000000000000-mapping.dmp

                    • memory/4724-439-0x00000000008D0000-0x00000000008D1000-memory.dmp

                    • memory/4848-325-0x0000000000000000-mapping.dmp

                    • memory/4872-192-0x0000000000000000-mapping.dmp

                    • memory/4872-280-0x0000000000000000-mapping.dmp

                    • memory/4916-437-0x0000000002E30000-0x0000000002E31000-memory.dmp

                    • memory/4920-240-0x0000000000000000-mapping.dmp

                    • memory/4948-196-0x0000000000000000-mapping.dmp

                    • memory/4968-436-0x0000000000F00000-0x0000000000FAE000-memory.dmp

                    • memory/4972-243-0x0000000000000000-mapping.dmp

                    • memory/4988-335-0x0000000000000000-mapping.dmp

                    • memory/5000-201-0x0000000000000000-mapping.dmp

                    • memory/5008-285-0x0000000000000000-mapping.dmp

                    • memory/5012-295-0x0000000000000000-mapping.dmp

                    • memory/5028-246-0x0000000000000000-mapping.dmp

                    • memory/5052-206-0x0000000000000000-mapping.dmp

                    • memory/5056-428-0x0000000000000000-mapping.dmp

                    • memory/5076-250-0x0000000000000000-mapping.dmp

                    • memory/5084-350-0x0000000000000000-mapping.dmp

                    • memory/5104-435-0x0000000000A60000-0x0000000000A61000-memory.dmp

                    • memory/5104-211-0x0000000000000000-mapping.dmp