badrabbit | hxxps://youtube[.]com

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
2384	schtasks.exe
3892	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1212	chrome.exe
1212	chrome.exe
3804	chrome.exe
3804	chrome.exe
1724	chrome.exe
1724	chrome.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
1800	chrome.exe
1800	chrome.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
3136	chrome.exe
3136	chrome.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
872	chrome.exe
872	chrome.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2400	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	taskmgr.exe
Token: SeSystemProfilePrivilege	2400	taskmgr.exe
Token: SeCreateGlobalPrivilege	2400	taskmgr.exe
Token: SeShutdownPrivilege	616	rundll32.exe
Token: SeDebugPrivilege	616	rundll32.exe
Token: SeTcbPrivilege	616	rundll32.exe
Token: SeDebugPrivilege	1688	76F7.tmp
Token: SeShutdownPrivilege	3652	rundll32.exe
Token: SeDebugPrivilege	3652	rundll32.exe
Token: SeTcbPrivilege	3652	rundll32.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
3804	chrome.exe
3804	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
2400	taskmgr.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe
3804	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3312	LogonUI.exe
3312	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 600	3804	chrome.exe	68
PID 3804 wrote to memory of 600	3804	chrome.exe	68
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1352	3804	chrome.exe	69
PID 3804 wrote to memory of 1212	3804	chrome.exe	70
PID 3804 wrote to memory of 1212	3804	chrome.exe	70
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71
PID 3804 wrote to memory of 2536	3804	chrome.exe	71

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://youtube.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xcc,0xdc,0x7fff748f4f50,0x7fff748f4f60,0x7fff748f4f70
  2⤵
  PID:600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1528 /prefetch:2
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:1
  2⤵
  PID:68
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4448 /prefetch:8
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4292 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3948 /prefetch:8
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3964 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2340 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1472 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 /prefetch:8
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2420 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4052 /prefetch:8
  2⤵
  PID:656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2936 /prefetch:2
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1036 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1444 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1516,9052376508872872581,14108415255690425250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2012 /prefetch:8
  2⤵
  PID:1940

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3068

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Fake SmartScreen.zip\bootstrap.min.js"
1⤵
PID:2832

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Drops file in Windows directory
PID:2708
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Modifies extensions of user files
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:616
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:3624
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2073752434 && exit"
    3⤵
    PID:4004
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2073752434 && exit"
      4⤵
      Creates scheduled task(s)
      PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:38:00
    3⤵
    PID:3948
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:38:00
      4⤵
      Creates scheduled task(s)
      PID:2384
- - C:\Windows\76F7.tmp
    "C:\Windows\76F7.tmp" \\.\pipe\{75BB7AE9-D78B-480D-923D-3AD41D65DA44}
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1688

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Drops file in Windows directory
PID:1424
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3652

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3a85855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery