12b26ee1cfae537ac38cd84b402e3453555a7c07e35e4a533ca5674701256ff8

Analysis

max time kernel
153s
max time network
160s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
12-02-2023 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample
Size

27KB
MD5

bbcfd73404a454c0c96282837603c896
SHA1

58e0f08a4204ac41b05320ba12555e7baa33b767
SHA256

12b26ee1cfae537ac38cd84b402e3453555a7c07e35e4a533ca5674701256ff8
SHA512

4ce89c355c12bf9102247cf8a19871d29ca4f71ab7aa53e49ce16e5be1d47b221d701ef015689afb3ce0bf478553f4315ca26a939f509aabf7e2d44a7c369620
SSDEEP

384:m8kuChz8iAlvolQbqF0Rt8IS+bBVZmP960cSHg11K:NkuCRIoQbqFgg60Y11K

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000\Control Panel\International\Geo\Nation	polymc.exe

Executes dropped EXE 3 IoCs

pid	Process
312	PolyMC-Windows-Setup-5.0.exe
224	ns2E8F.tmp
4636	polymc.exe

Loads dropped DLL 49 IoCs

pid	Process
312	PolyMC-Windows-Setup-5.0.exe
312	PolyMC-Windows-Setup-5.0.exe
312	PolyMC-Windows-Setup-5.0.exe
312	PolyMC-Windows-Setup-5.0.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe
4636	polymc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2192	TaskKill.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4636	polymc.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1608	chrome.exe
1608	chrome.exe
3736	chrome.exe
3736	chrome.exe
4208	chrome.exe
4208	chrome.exe
4952	chrome.exe
4952	chrome.exe
2384	chrome.exe
2384	chrome.exe
2644	chrome.exe
2644	chrome.exe
712	chrome.exe
712	chrome.exe
4716	chrome.exe
4716	chrome.exe
3736	chrome.exe
3736	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe
4356	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4636	polymc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	TaskKill.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe
3736	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 4124	3736	chrome.exe	69
PID 3736 wrote to memory of 4124	3736	chrome.exe	69
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 384	3736	chrome.exe	71
PID 3736 wrote to memory of 1608	3736	chrome.exe	72
PID 3736 wrote to memory of 1608	3736	chrome.exe	72
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73
PID 3736 wrote to memory of 3424	3736	chrome.exe	73

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\sample
1⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb24ed4f50,0x7ffb24ed4f60,0x7ffb24ed4f70
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
  2⤵
  PID:384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1700 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2128 /prefetch:8
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3992 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4380 /prefetch:8
  2⤵
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4400 /prefetch:8
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  PID:752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4312 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6092 /prefetch:8
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3040 /prefetch:8
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3076 /prefetch:8
  2⤵
  PID:4700
- C:\Users\Admin\Downloads\PolyMC-Windows-Setup-5.0.exe
  "C:\Users\Admin\Downloads\PolyMC-Windows-Setup-5.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:312
- - C:\Users\Admin\AppData\Local\Temp\nsl2094.tmp\ns2E8F.tmp
    "C:\Users\Admin\AppData\Local\Temp\nsl2094.tmp\ns2E8F.tmp" TaskKill /IM polymc.exe /F
    3⤵
    - Executes dropped EXE
    PID:224
  - - C:\Windows\SYSTEM32\TaskKill.exe
      TaskKill /IM polymc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2192
- - C:\Users\Admin\AppData\Local\Programs\PolyMC\polymc.exe
    "C:\Users\Admin\AppData\Local\Programs\PolyMC\polymc.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4636
  - - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Programs/PolyMC/jars/JavaCheck.jar
      4⤵
      PID:4992
  - - C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe" -jar C:/Users/Admin/AppData/Local/Programs/PolyMC/jars/JavaCheck.jar
      4⤵
      PID:5116
  - - C:\ProgramData\Oracle\Java\javapath\javaw.exe
      javaw -jar C:/Users/Admin/AppData/Local/Programs/PolyMC/jars/JavaCheck.jar
      4⤵
      PID:4220
  - - C:\ProgramData\Oracle\Java\javapath\javaw.exe
      C:\ProgramData\Oracle\Java\javapath\javaw.exe -jar C:/Users/Admin/AppData/Local/Programs/PolyMC/jars/JavaCheck.jar
      4⤵
      PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3164 /prefetch:8
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  PID:3360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1556,18010532141601720832,15978319526550253757,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3164 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\PolyMC\libgcc_s_seh-1.dll

Filesize
104KB

MD5
be0aa27293036756cf582e6f3b8fa3de

SHA1
4d21b8ecb8e6604133d6a26d3bbdef11c65829e6

SHA256
25d9b0700f69e4a9c36b84d5df80ff6528c387980789f7e189f8c2aafa9d5a57

SHA512
f4fc6e7b7f5f70711b2fef4752dceaf52e6184c461f147fed82e89bb43811aba1fe7188d11025daf3efa5fc0675863e8d80c42c78eb6d284a8d8e22ea4af50ce

Download Submit
C:\Users\Admin\AppData\Local\Programs\PolyMC\polymc.exe

Filesize
10.7MB

MD5
5593dfe68d944d3824574653d2ad3b0d

SHA1
93511fb338dcc78ae91c41a82bf12d35cfe3562d

SHA256
8aa8786c187e138993ec222f10ac403f27ab2025142cda1af590ebad1e56346b

SHA512
e1991a048356d547025f91fb4770713bca4aa54272070329d01689ec740743085a3d2e73c298f042ada8da251f4ff67bd2dbe991438c5f44b4f5d3c897fec596

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2094.tmp\ns2E8F.tmp

Filesize
11KB

MD5
12e2b56f0e0d794d63e5b3da0124981c

SHA1
4a9713aa2e2972c4e58fdda8cc9673b64df38187

SHA256
b847609b3eceaa16abd77327ae62f0802b5049aaf78bef49a3bb74efcd15be64

SHA512
c4b15c724215a23758cfc19284d1e4717e49ece01254d576c5fa4d5e9ed81556e3e64caad3b1e20a71f49d747592dc190b3c7157767489dc601779856c231902

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl2094.tmp\ns2E8F.tmp

Filesize
11KB

MD5
12e2b56f0e0d794d63e5b3da0124981c

SHA1
4a9713aa2e2972c4e58fdda8cc9673b64df38187

SHA256
b847609b3eceaa16abd77327ae62f0802b5049aaf78bef49a3bb74efcd15be64

SHA512
c4b15c724215a23758cfc19284d1e4717e49ece01254d576c5fa4d5e9ed81556e3e64caad3b1e20a71f49d747592dc190b3c7157767489dc601779856c231902

Download Submit
C:\Users\Admin\Downloads\PolyMC-Windows-Setup-5.0.exe

Filesize
37.0MB

MD5
fca2d274a3a020166d7661962adc1836

SHA1
d4e506943d4c64a87f6ac83873fc7eb88d6dd749

SHA256
b89cc2077be812a5567e5eb86870e814012c2d312cefa5961d7d036e93c3a995

SHA512
636606a164e90f55d411e006fac98f81199855c69bd6e2f6423e5320c963e695a2adb910717e11bef0d0de9897d18b1c8ca824f9f82b732ff9e8eb6fd30ff148

Download Submit
C:\Users\Admin\Downloads\PolyMC-Windows-Setup-5.0.exe

Filesize
37.0MB

MD5
fca2d274a3a020166d7661962adc1836

SHA1
d4e506943d4c64a87f6ac83873fc7eb88d6dd749

SHA256
b89cc2077be812a5567e5eb86870e814012c2d312cefa5961d7d036e93c3a995

SHA512
636606a164e90f55d411e006fac98f81199855c69bd6e2f6423e5320c963e695a2adb910717e11bef0d0de9897d18b1c8ca824f9f82b732ff9e8eb6fd30ff148

Download Submit
\Users\Admin\AppData\Local\Temp\nsl2094.tmp\System.dll

Filesize
24KB

MD5
47ba95323f37f91363eecfefb6bf88e4

SHA1
9a08ae3d832da3d7e1199afe3d41d45413cee854

SHA256
7c44c346cfc9ec199d3ec20dce30dfbec61f2c6c9accabd32780e449b5f7ff58

SHA512
91c85eb5daae4d3b4d9f9110db1019fb2d80407462b7dcef8dddde3500fdf0321c8d3eede19284c03c2c35f07face80023ce9dc9d3428ef5992fa67843734774

Download Submit
\Users\Admin\AppData\Local\Temp\nsl2094.tmp\System.dll

Filesize
24KB

MD5
47ba95323f37f91363eecfefb6bf88e4

SHA1
9a08ae3d832da3d7e1199afe3d41d45413cee854

SHA256
7c44c346cfc9ec199d3ec20dce30dfbec61f2c6c9accabd32780e449b5f7ff58

SHA512
91c85eb5daae4d3b4d9f9110db1019fb2d80407462b7dcef8dddde3500fdf0321c8d3eede19284c03c2c35f07face80023ce9dc9d3428ef5992fa67843734774

Download Submit
\Users\Admin\AppData\Local\Temp\nsl2094.tmp\nsDialogs.dll

Filesize
14KB

MD5
3122c5948b4ea998bca7765b1d631339

SHA1
31f152b86e9f1fcbe91059bd5962d4ffd8b35f02

SHA256
2107b714dadbd411e2e11126f350f744c20bc095cf22069b43b50cf2fa00cdf9

SHA512
6f9806b9fa76a08be66d31898c0fe40fc311b8d3d241ae7b47ed5dcc48e2f39b4c274791f9874603e5aaa1a07adc21b99ae20cd4a1dcb94dcaddd929ba0eb0a6

Download Submit
\Users\Admin\AppData\Local\Temp\nsl2094.tmp\nsExec.dll

Filesize
11KB

MD5
68064e5398b148a701d12383e9ac10c9

SHA1
3d04cb4c24333f1506a87961506914ffd3f3f0d9

SHA256
641fa0665b5e6bea5cbf98a19ad30b1d28039f575ff87aa98969a24618c159e7

SHA512
78432980e6331a76d70f79adf965a547f48826aae2245afab1a23f37b9812c0f7c7f7d6789c773aa8e87b66d2fd77d7d56853ae04f4857e3b006038b80f352c3

Download Submit
memory/224-125-0x0000000000000000-mapping.dmp

Download
memory/312-118-0x0000000000000000-mapping.dmp

Download
memory/2192-128-0x0000000000000000-mapping.dmp

Download
memory/3872-139-0x0000000000000000-mapping.dmp

Download
memory/4220-138-0x0000000000000000-mapping.dmp

Download
memory/4636-134-0x00007FFB13770000-0x00007FFB1379A000-memory.dmp

Filesize
168KB

Download
memory/4636-133-0x00007FFB250E0000-0x00007FFB250F6000-memory.dmp

Filesize
88KB

Download
memory/4636-135-0x00007FFB15410000-0x00007FFB15432000-memory.dmp

Filesize
136KB

Download
memory/4636-132-0x00007FFB12FE0000-0x00007FFB131A0000-memory.dmp

Filesize
1.8MB

Download
memory/4636-129-0x0000000000000000-mapping.dmp

Download
memory/4636-140-0x00007FFB153F0000-0x00007FFB1540A000-memory.dmp

Filesize
104KB

Download
memory/4992-136-0x0000000000000000-mapping.dmp

Download
memory/5116-137-0x0000000000000000-mapping.dmp

Download