Analysis
-
max time kernel
300s -
max time network
303s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-08-2021 10:19
Static task
static1
URLScan task
urlscan1
Sample
https://disk.yandex.ru/d/CorFoVL1X65cTw
General
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
ExLoader_Installer.exesvchost.exeExLoader_Installer.exeExLoader_Installer.exesvchost.exeExLoader_Installer.exepid Process 5864 ExLoader_Installer.exe 5972 svchost.exe 6016 ExLoader_Installer.exe 796 ExLoader_Installer.exe 4152 svchost.exe 4176 ExLoader_Installer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 128 api.ipify.org 129 api.ipify.org 132 ip-api.com 136 api.ipify.org 138 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target Process procid_target 4492 6048 WerFault.exe 143 5300 3872 WerFault.exe 153 -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies registry class 4 IoCs
Processes:
chrome.exe7zFM.exeOpenWith.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exe7zFM.exeWerFault.exesvchost.exeWerFault.exesvchost.exepid Process 2788 chrome.exe 2788 chrome.exe 3156 chrome.exe 3156 chrome.exe 512 chrome.exe 512 chrome.exe 4608 chrome.exe 4608 chrome.exe 5268 chrome.exe 5268 chrome.exe 5780 7zFM.exe 5780 7zFM.exe 5780 7zFM.exe 5780 7zFM.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 4492 WerFault.exe 5972 svchost.exe 5972 svchost.exe 5780 7zFM.exe 5780 7zFM.exe 5780 7zFM.exe 5780 7zFM.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 5300 WerFault.exe 4152 svchost.exe 4152 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 6 IoCs
Processes:
7zFM.exeOpenWith.exe7zFM.exe7zFM.exe7zG.exe7zFM.exepid Process 5780 7zFM.exe 4932 OpenWith.exe 4608 7zFM.exe 1312 7zFM.exe 5260 7zG.exe 5072 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
7zFM.exeWerFault.exesvchost.exe7zFM.exeWerFault.exesvchost.exe7zFM.exe7zG.exe7zFM.exedescription pid Process Token: SeRestorePrivilege 5780 7zFM.exe Token: 35 5780 7zFM.exe Token: SeSecurityPrivilege 5780 7zFM.exe Token: SeDebugPrivilege 4492 WerFault.exe Token: SeDebugPrivilege 5972 svchost.exe Token: SeSecurityPrivilege 5780 7zFM.exe Token: SeSecurityPrivilege 5780 7zFM.exe Token: SeRestorePrivilege 4608 7zFM.exe Token: 35 4608 7zFM.exe Token: SeSecurityPrivilege 5780 7zFM.exe Token: SeDebugPrivilege 5300 WerFault.exe Token: SeDebugPrivilege 4152 svchost.exe Token: SeRestorePrivilege 1312 7zFM.exe Token: 35 1312 7zFM.exe Token: SeRestorePrivilege 5260 7zG.exe Token: 35 5260 7zG.exe Token: SeSecurityPrivilege 5260 7zG.exe Token: SeRestorePrivilege 5072 7zFM.exe Token: 35 5072 7zFM.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
Processes:
chrome.exe7zFM.exe7zFM.exe7zFM.exe7zG.exe7zFM.exepid Process 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 3156 chrome.exe 5780 7zFM.exe 5780 7zFM.exe 5780 7zFM.exe 5780 7zFM.exe 5780 7zFM.exe 4608 7zFM.exe 5780 7zFM.exe 1312 7zFM.exe 5260 7zG.exe 5260 7zG.exe 5260 7zG.exe 5072 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid Process 4932 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid Process procid_target PID 3156 wrote to memory of 524 3156 chrome.exe 73 PID 3156 wrote to memory of 524 3156 chrome.exe 73 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2684 3156 chrome.exe 76 PID 3156 wrote to memory of 2788 3156 chrome.exe 77 PID 3156 wrote to memory of 2788 3156 chrome.exe 77 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78 PID 3156 wrote to memory of 3392 3156 chrome.exe 78
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://disk.yandex.ru/d/CorFoVL1X65cTw1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ff844514f50,0x7ff844514f60,0x7ff844514f702⤵PID:524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1504 /prefetch:22⤵PID:2684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1804 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:82⤵PID:3392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:12⤵PID:2252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:12⤵PID:1616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:3272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵PID:2156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:3980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:12⤵PID:2588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4832 /prefetch:82⤵PID:4252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:4468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5744 /prefetch:82⤵PID:4572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5884 /prefetch:82⤵PID:4600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6020 /prefetch:82⤵PID:4676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5872 /prefetch:82⤵PID:4704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6056 /prefetch:82⤵PID:4780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6032 /prefetch:82⤵PID:4808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5872 /prefetch:82⤵PID:4860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6052 /prefetch:82⤵PID:4936
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings2⤵PID:4960
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7aa77a890,0x7ff7aa77a8a0,0x7ff7aa77a8b03⤵PID:5016
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5720 /prefetch:82⤵PID:5072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6044 /prefetch:82⤵PID:1216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6204 /prefetch:82⤵PID:4256
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5820 /prefetch:82⤵PID:4416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7416 /prefetch:82⤵PID:4736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7292 /prefetch:82⤵PID:4804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7340 /prefetch:82⤵PID:4784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7344 /prefetch:82⤵PID:4840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7372 /prefetch:82⤵PID:4944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7280 /prefetch:82⤵PID:4928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7408 /prefetch:82⤵PID:4860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7364 /prefetch:82⤵PID:5064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7316 /prefetch:82⤵PID:5104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7704 /prefetch:82⤵PID:4316
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7712 /prefetch:82⤵PID:4184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7620 /prefetch:82⤵PID:4924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8172 /prefetch:82⤵PID:4956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8444 /prefetch:82⤵PID:5108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8596 /prefetch:82⤵PID:4640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8608 /prefetch:82⤵PID:4792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8624 /prefetch:82⤵PID:4828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8652 /prefetch:82⤵PID:4852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8664 /prefetch:82⤵PID:4188
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8908 /prefetch:82⤵PID:4952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8576 /prefetch:82⤵PID:4388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8580 /prefetch:82⤵PID:4920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7372 /prefetch:82⤵PID:4976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9656 /prefetch:82⤵PID:5156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7944 /prefetch:82⤵PID:5212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:5324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9428 /prefetch:12⤵PID:5340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1460,5790309675403519684,6088483272056869198,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9508 /prefetch:12⤵PID:5512
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5684
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\nixware.rar"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5780 -
C:\Users\Admin\AppData\Local\Temp\7zO496D9675\ExLoader_Installer.exe"C:\Users\Admin\AppData\Local\Temp\7zO496D9675\ExLoader_Installer.exe"2⤵
- Executes dropped EXE
PID:5864 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5972
-
-
C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"3⤵
- Executes dropped EXE
PID:6016 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe" org.develnext.jphp.ext.javafx.FXLauncher4⤵PID:6048
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6048 -s 3525⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4932
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\nixpaste.dll"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4608
-
C:\Users\Admin\Desktop\ExLoader_Installer.exe"C:\Users\Admin\Desktop\ExLoader_Installer.exe"1⤵
- Executes dropped EXE
PID:796 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4152
-
-
C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"2⤵
- Executes dropped EXE
PID:4176 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe" org.develnext.jphp.ext.javafx.FXLauncher3⤵PID:3872
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3872 -s 3564⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5300
-
-
-
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\ExLoader_Installer.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1312
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" h -scrcSHA256 -i#7zMap8036:94:7zEvent23781⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5260
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\ExLoader_Installer.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8cbc6d1b481bcfdf928b1e330cea2a0f
SHA1504fc13c17e5be4cc38b908d3f8a9bb66499adeb
SHA256003546e1b3b5c86763426eda2f9997f7ea8430bcca9a217f294ba8cde273250a
SHA512c2775b7989df17cd196accce289551d33889b8b6c56a18c46a20377e33643534453e5a894cf306278fac688ba011e9344c32b347e978e9d9b5275163193d13f7
-
MD5
8ee018331e95a610680a789192a9d362
SHA1e1fba0ac3f3d8689acf6c2ee26afdfd0c8e02df9
SHA25694354ea6703c5ef5fa052aeb1d29715587d80300858ebc063a61c02b7e6e9575
SHA5124b89b5adc77641e497eda7db62a48fee7b4b8dda83bff637cac850645d31deb93aafee5afeb41390e07fd16505a63f418b6cb153a1d35777c483e2d6d3f783b4
-
MD5
e379e32a7ebab69886a166b052085e48
SHA12c91af7b4fe73dc260ac82d2b698a024ee1cd967
SHA2561d936ea9fb383d4cc2138f2e6a1469321ad308b0b9a4e4ab062bd6d19da041bb
SHA512afc68ee0f66389f0978f707c2f8ccc469fd9df0e82c7f317984cab5f4783ffc9f673a37edae2180e327dd23d8096d5d294769d13f8ac2baa3d28a38ee9b3ba6b
-
MD5
e379e32a7ebab69886a166b052085e48
SHA12c91af7b4fe73dc260ac82d2b698a024ee1cd967
SHA2561d936ea9fb383d4cc2138f2e6a1469321ad308b0b9a4e4ab062bd6d19da041bb
SHA512afc68ee0f66389f0978f707c2f8ccc469fd9df0e82c7f317984cab5f4783ffc9f673a37edae2180e327dd23d8096d5d294769d13f8ac2baa3d28a38ee9b3ba6b
-
MD5
c6e79e50fb866565b6b9e8ef3c2aa2ff
SHA15783a03b54beea6051f0306e317f62ba5c8cda5d
SHA256d58dfcb2e4062e1bba45592c2a8fc6badea96a3287d5e7210e1ab408b2146f3a
SHA5120288817ba77feb24174acd0b2b6b8cfc58f74150274a33addac0549e2a6bf68b586e6891322b377bdaf68a173f2419bc2c90dce91b84e674f91a931fad14e10d
-
MD5
c6e79e50fb866565b6b9e8ef3c2aa2ff
SHA15783a03b54beea6051f0306e317f62ba5c8cda5d
SHA256d58dfcb2e4062e1bba45592c2a8fc6badea96a3287d5e7210e1ab408b2146f3a
SHA5120288817ba77feb24174acd0b2b6b8cfc58f74150274a33addac0549e2a6bf68b586e6891322b377bdaf68a173f2419bc2c90dce91b84e674f91a931fad14e10d
-
MD5
aed36b8bf86392fe50542b04e2ca65db
SHA10784304913211b659a63e44ce8793652ca29942e
SHA256d7e98e9e242b7c4d17723f42e5cffc54cc58141a2f0f4ee547a0f611410a59f7
SHA51211822394c2c72fc7865759805d971f361edb13ff2ac8bdcf5e10821cd6ee2e8e41d00f32dda5c2de7f138330155b9bfa9a6ab2cae0b33de1477ed6176502e1db
-
MD5
aed36b8bf86392fe50542b04e2ca65db
SHA10784304913211b659a63e44ce8793652ca29942e
SHA256d7e98e9e242b7c4d17723f42e5cffc54cc58141a2f0f4ee547a0f611410a59f7
SHA51211822394c2c72fc7865759805d971f361edb13ff2ac8bdcf5e10821cd6ee2e8e41d00f32dda5c2de7f138330155b9bfa9a6ab2cae0b33de1477ed6176502e1db
-
MD5
2fc9db6c5a5b81e94db1fc78a2bcf5fb
SHA15ce83c2b3a303419b2dc3282e53d13ddfe62d236
SHA2568a643c1ef44063ede9245eb0381887a81f4903f08e46a20d32bf2b4025c8a226
SHA512f515887cbe18a3803a2a59baf068fb4d43d0def654bbd393f517ceffdc4bd3d21b19bc725503dc93b6a908783da8f579e253eedd27895f4fc702df115957841a
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e