Analysis
-
max time kernel
158s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
16-02-2022 13:15
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://fex.net/s/b0nolal
Resource
win10v2004-en-20220112
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
https://fex.net/s/b0nolal
Score
10/10
Malware Config
Signatures
-
LoaderBot executable 1 IoCs
resource yara_rule behavioral1/memory/1036-144-0x00000000038C0000-0x0000000003CCD000-memory.dmp loaderbot -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1036 OSIRIS_cs.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Driver.url OSIRIS_cs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Sysfiles\\OSIRIS_cs.exe" OSIRIS_cs.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1036 OSIRIS_cs.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 51 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132896673848197731" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.191741" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "1.428028" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4312" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4008" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006618" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4104" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2504 chrome.exe 2504 chrome.exe 3016 chrome.exe 3016 chrome.exe 4580 chrome.exe 4580 chrome.exe 4636 chrome.exe 4636 chrome.exe 2456 chrome.exe 2456 chrome.exe 1036 OSIRIS_cs.exe 1036 OSIRIS_cs.exe 1036 OSIRIS_cs.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe Token: SeRestorePrivilege 4840 TiWorker.exe Token: SeSecurityPrivilege 4840 TiWorker.exe Token: SeBackupPrivilege 4840 TiWorker.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3568 7zFM.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe 3016 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 3640 3016 chrome.exe 58 PID 3016 wrote to memory of 3640 3016 chrome.exe 58 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 1928 3016 chrome.exe 60 PID 3016 wrote to memory of 2504 3016 chrome.exe 61 PID 3016 wrote to memory of 2504 3016 chrome.exe 61 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62 PID 3016 wrote to memory of 2996 3016 chrome.exe 62
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://fex.net/s/b0nolal1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffb369c4f50,0x7ffb369c4f60,0x7ffb369c4f702⤵PID:3640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1660 /prefetch:22⤵PID:1928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2040 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2348 /prefetch:82⤵PID:2996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:12⤵PID:2752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:12⤵PID:1576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4340 /prefetch:82⤵PID:3600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:12⤵PID:2960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵PID:4456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5656 /prefetch:82⤵PID:4512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5480 /prefetch:82⤵PID:4544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4580
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:82⤵PID:4680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:82⤵PID:4712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5884 /prefetch:82⤵PID:4780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6004 /prefetch:82⤵PID:4852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6124 /prefetch:82⤵PID:4908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:82⤵PID:4940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4860 /prefetch:82⤵PID:2216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5656 /prefetch:82⤵PID:3972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:3244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:12⤵PID:4556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:12⤵PID:4724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5828 /prefetch:82⤵PID:4192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1668,11263505867784927862,13475597570226563351,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3108 /prefetch:82⤵PID:4184
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1960
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
PID:2160
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4344
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4840
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:408
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\OSIRIS_cs.exe"1⤵
- Suspicious use of FindShellTrayWindow
PID:3568
-
C:\Users\Admin\Desktop\OSIRIS_cs.exe"C:\Users\Admin\Desktop\OSIRIS_cs.exe"1⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1036