shurk | 6cdefe842611b0f9fea4571bc07ff0de77740f440115852436f4afd1324e981a

General

Target

payload.bin.exe
Size

472KB
MD5

a89b5a1a3c1a93488c80c0068fa16109
SHA1

adeb69a80fe2bf50fd4ce269cc061a92b7ea7314
SHA256

6cdefe842611b0f9fea4571bc07ff0de77740f440115852436f4afd1324e981a
SHA512

c9ad3935a82af2c10c7db9e2a5b83e498de7fa8864b81db33798b629aeff72ce8a5b0dcd66ddf595c608bd87e0b9a94f70fef53f58d506095dbdcb4a8416061e

Score

10^/10

shurk infostealer persistence spyware stealer

Malware Config

Signatures

Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Drivers\PROCMON24.SYS	Procmon64.exe
File created	C:\Windows\system32\Drivers\PROCMON24.SYS	Procmon64.exe
File opened for modification	C:\Windows\system32\Drivers\PROCMON24.SYS	Procmon64.exe
File created	C:\Windows\system32\Drivers\PROCMON24.SYS	Procmon64.exe

Executes dropped EXE 1 IoCs

pid	Process
5848	Procmon64.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Modifies registry class 19 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ProcMon.Logfile.1\ = "ProcMon Log File"	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ProcMon.Logfile.1\DefaultIcon	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ProcMon.Logfile.1\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_ProcessMonitor.zip\\Procmon.exe\",0"	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ProcMon.Logfile.1\ = "ProcMon Log File"	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ProcMon.Logfile.1\shell\open\command	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ProcMon.Logfile.1\shell\open\command\ = "\"C:\\Users\\Admin\\Desktop\\Procmon64.exe\" /OpenLog \"%1\""	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.PML\ = "ProcMon.Logfile.1"	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ProcMon.Logfile.1\shell	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ProcMon.Logfile.1\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_ProcessMonitor.zip\\Procmon.exe\" /OpenLog \"%1\""	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.PML	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.PML\ = "ProcMon.Logfile.1"	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ProcMon.Logfile.1	Procmon64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ProcMon.Logfile.1\DefaultIcon\ = "\"C:\\Users\\Admin\\Desktop\\Procmon64.exe\",0"	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ProcMon.Logfile.1	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.PML	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ProcMon.Logfile.1\shell\open\command	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ProcMon.Logfile.1\shell\open	Procmon64.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\ProcMon.Logfile.1\DefaultIcon	Procmon64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Procmon.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
384	payload.bin.exe
384	payload.bin.exe
4308	chrome.exe
4308	chrome.exe
4844	chrome.exe
4844	chrome.exe
5620	chrome.exe
5620	chrome.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
5848	Procmon64.exe
6084	Procmon64.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5848	Procmon64.exe
Token: SeLoadDriverPrivilege	5848	Procmon64.exe
Token: SeDebugPrivilege	6084	Procmon64.exe
Token: SeLoadDriverPrivilege	6084	Procmon64.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5848	Procmon64.exe
5848	Procmon64.exe
5848	Procmon64.exe
6084	Procmon64.exe
6084	Procmon64.exe
6084	Procmon64.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3840	5104	chrmstp.exe	101
PID 5104 wrote to memory of 3840	5104	chrmstp.exe	101
PID 5752 wrote to memory of 5848	5752	Procmon.exe	143
PID 5752 wrote to memory of 5848	5752	Procmon.exe	143

C:\Users\Admin\AppData\Local\Temp\payload.bin.exe
"C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
1⤵
PID:3476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1408 /prefetch:1
1⤵
PID:1648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
1⤵
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
1⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
1⤵
PID:4020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
1⤵
PID:208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:8
1⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
1⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6332 /prefetch:8
1⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6492 /prefetch:8
1⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6352 /prefetch:8
1⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6480 /prefetch:8
1⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6504 /prefetch:8
1⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6640 /prefetch:8
1⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6428 /prefetch:8
1⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6340 /prefetch:8
1⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6580 /prefetch:8
1⤵
PID:5060

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
1⤵
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff63162a890,0x7ff63162a8a0,0x7ff63162a8b0
  2⤵
  PID:3840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6212 /prefetch:8
1⤵
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6244 /prefetch:8
1⤵
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6304 /prefetch:8
1⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6188 /prefetch:8
1⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6224 /prefetch:8
1⤵
PID:4312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6192 /prefetch:8
1⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6232 /prefetch:8
1⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:8
1⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5772 /prefetch:8
1⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6236 /prefetch:8
1⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7044 /prefetch:8
1⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:1
1⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7500 /prefetch:8
1⤵
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7492 /prefetch:8
1⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7708 /prefetch:8
1⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7824 /prefetch:8
1⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7964 /prefetch:8
1⤵
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7820 /prefetch:8
1⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7948 /prefetch:8
1⤵
PID:3824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7380 /prefetch:8
1⤵
PID:4188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8380 /prefetch:8
1⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7408 /prefetch:8
1⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8460 /prefetch:8
1⤵
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7388 /prefetch:8
1⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8860 /prefetch:8
1⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8992 /prefetch:8
1⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8984 /prefetch:8
1⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9272 /prefetch:8
1⤵
PID:4820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9100 /prefetch:1
1⤵
PID:5260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
1⤵
PID:5332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8728 /prefetch:1
1⤵
PID:5360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3968 /prefetch:8
1⤵
PID:5496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
1⤵
PID:5548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1432,2865969277674188796,8714872043050421635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7932 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\Temp1_ProcessMonitor.zip\Procmon.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_ProcessMonitor.zip\Procmon.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5752
- C:\Users\Admin\AppData\Local\Temp\Procmon64.exe
  "C:\Users\Admin\AppData\Local\Temp\Procmon64.exe" /originalpath "C:\Users\Admin\AppData\Local\Temp\Temp1_ProcessMonitor.zip\Procmon.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5848

C:\Users\Admin\Desktop\Procmon64.exe
"C:\Users\Admin\Desktop\Procmon64.exe"
1⤵
- Drops file in Drivers directory
- Modifies registry class
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1648-114-0x00007FFB8A640000-0x00007FFB8A641000-memory.dmp

Filesize
4KB

Download
memory/5848-301-0x00007FFB4C290000-0x00007FFB4C2A0000-memory.dmp

Filesize
64KB

Download
memory/5848-302-0x00007FFB4C290000-0x00007FFB4C2A0000-memory.dmp

Filesize
64KB

Download
memory/6084-303-0x00007FFB4C290000-0x00007FFB4C2A0000-memory.dmp

Filesize
64KB

Download
memory/6084-304-0x00007FFB4C290000-0x00007FFB4C2A0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing