xloader | 09effc5108b5ca6e852a9712180ad493ad2e4aa5e3693056953583fbce18cf92

General

Target

Pzszsebwqndrzimfyunhokbpqivlqwshnn.exe
Size

920KB
MD5

65523cf4b441d2dbe144566c4bea5849
SHA1

119d9e00c6b08f5e93f477a9429c263390e4a4c2
SHA256

09effc5108b5ca6e852a9712180ad493ad2e4aa5e3693056953583fbce18cf92
SHA512

348e742fae24048357e04e10872228438c1a327b7292944beefb0b885b7f9995d01b0aec2e0a5316cf5ac6bcc2f8afd7868076d477bf6b09791d3127b57a089b

Score

10^/10

xloader pvxz loader persistence rat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pvxz

Decoy

imt-token.club

abravewayocen.online

shcloudcar.com

mshoppingworld.online

ncgf08.xyz

stuinfo.xyz

wesavetheplanetofficial.com

tourbox.xyz

believeinyourselftraining.com

jsboyat.com

aaeconomy.info

9etmorea.info

purosepeti7.com

goticketly.com

pinkmemorypt.com

mylifewellnesscentre.com

iridina.online

petrestore.online

neema.xyz

novelfooditalia.com

Signatures

Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/524-210-0x0000000072480000-0x00000000724A9000-memory.dmp	xloader
behavioral1/memory/524-214-0x00000000007E0000-0x0000000000AA3000-memory.dmp	xloader

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Pzszsebwqndrzimfyunhokbpqivlqwshnn.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pzszsebwqn = "C:\\Users\\Admin\\Contacts\\nqwbeszszP.url"	Pzszsebwqndrzimfyunhokbpqivlqwshnn.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

logagent.exe

description pid process target process

PID 524 set thread context of 2420 524 logagent.exe Explorer.EXE

description	pid	process	target process
PID 524 set thread context of 2420	524	logagent.exe	Explorer.EXE

Drops file in Windows directory 3 IoCs

Processes:

taskmgr.exeLogonUI.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\97717462.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\1361672858.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\421858948\3551649488.pri	LogonUI.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

taskmgr.exechrome.exechrome.exelogagent.exe

pid	process
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
1932	chrome.exe
1932	chrome.exe
2472	chrome.exe
2472	chrome.exe
524	logagent.exe
524	logagent.exe
524	logagent.exe
524	logagent.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

logagent.exe

pid process

524 logagent.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2472 chrome.exe
2472 chrome.exe
2472 chrome.exe

pid	process
524	logagent.exe

pid	process
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

taskmgr.exelogagent.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3752	taskmgr.exe
Token: SeSystemProfilePrivilege	3752	taskmgr.exe
Token: SeCreateGlobalPrivilege	3752	taskmgr.exe
Token: 33	3752	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3752	taskmgr.exe
Token: SeDebugPrivilege	524	logagent.exe
Token: SeShutdownPrivilege	2420	Explorer.EXE
Token: SeCreatePagefilePrivilege	2420	Explorer.EXE
Token: SeShutdownPrivilege	2420	Explorer.EXE
Token: SeCreatePagefilePrivilege	2420	Explorer.EXE
Token: SeShutdownPrivilege	2420	Explorer.EXE
Token: SeCreatePagefilePrivilege	2420	Explorer.EXE
Token: SeShutdownPrivilege	2420	Explorer.EXE
Token: SeCreatePagefilePrivilege	2420	Explorer.EXE
Token: SeShutdownPrivilege	2420	Explorer.EXE
Token: SeCreatePagefilePrivilege	2420	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
2472	chrome.exe
2472	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
3752	taskmgr.exe
2472	chrome.exe
2472	chrome.exe
2472	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

LogonUI.exe

pid process

792 LogonUI.exe
792 LogonUI.exe

pid	process
792	LogonUI.exe
792	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2472 wrote to memory of 2888	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 2888	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1392	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1932	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1932	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe
PID 2472 wrote to memory of 1988	2472	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Users\Admin\AppData\Local\Temp\Pzszsebwqndrzimfyunhokbpqivlqwshnn.exe
"C:\Users\Admin\AppData\Local\Temp\Pzszsebwqndrzimfyunhokbpqivlqwshnn.exe"
2⤵
- Adds Run key to start application
PID:2676

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8a1e24f50,0x7ff8a1e24f60,0x7ff8a1e24f70
3⤵
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1488,3839380370085343122,12847792891243471551,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1492 /prefetch:2
3⤵
PID:1392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1488,3839380370085343122,12847792891243471551,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1836 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1488,3839380370085343122,12847792891243471551,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 /prefetch:8
3⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,3839380370085343122,12847792891243471551,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
3⤵
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,3839380370085343122,12847792891243471551,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2692 /prefetch:1
3⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,3839380370085343122,12847792891243471551,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
3⤵
PID:696

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:4072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:792

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a80055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\pipe\crashpad_2472_WMPFZZAYLJXKJRAU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/524-209-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/524-210-0x0000000072480000-0x00000000724A9000-memory.dmp

Filesize
164KB

Download
memory/524-212-0x0000000000FF0000-0x0000000001310000-memory.dmp

Filesize
3.1MB

Download
memory/524-214-0x00000000007E0000-0x0000000000AA3000-memory.dmp

Filesize
2.8MB

Download
memory/2420-213-0x000000000B290000-0x000000000B3FD000-memory.dmp

Filesize
1.4MB

Download
memory/2676-115-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads