Analysis
-
max time kernel
159s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-01-2023 12:31
Behavioral task
behavioral1
Sample
0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
Resource
win10v2004-20220812-en
General
-
Target
0bcf1a7b50ed4504fdaf2e11cea6aea7.exe
-
Size
2.3MB
-
MD5
0bcf1a7b50ed4504fdaf2e11cea6aea7
-
SHA1
3a7484b337392285c53212953c9cd9ca02c8070c
-
SHA256
ae1688c122262eca8536d54c6bfcb14ce0181cadffa680600b6b9ed6f4cce0ae
-
SHA512
8c3f614f1cb6d5c2d02013d2625af210096e33f56a3449321d4fee8b23f80eaab2a340af327316eb316d6d95099b6aa6bb82ea1b48d9409418ba603779ee1d97
-
SSDEEP
49152:uUcZje2m3S7IdNuzPkAdmHsudtexRRuq0Ek4pbz6:uNe2KS7IAPkNHsG37gK
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 532 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1656 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5036 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4708 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4676 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4616 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4580 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1080 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 704 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4252 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1260 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1084 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1296 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 3340 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 3340 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/4704-132-0x0000000000940000-0x0000000000B8E000-memory.dmp dcrat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Idle.exe dcrat C:\Users\Admin\PrintHood\Idle.exe dcrat -
Executes dropped EXE 1 IoCs
Processes:
Idle.exepid process 2240 Idle.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0bcf1a7b50ed4504fdaf2e11cea6aea7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe -
Drops file in Program Files directory 6 IoCs
Processes:
0bcf1a7b50ed4504fdaf2e11cea6aea7.exedescription ioc process File created C:\Program Files (x86)\Windows NT\Accessories\en-US\wininit.exe 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe File created C:\Program Files (x86)\Windows NT\Accessories\en-US\56085415360792 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe File created C:\Program Files\Windows NT\TableTextService\RuntimeBroker.exe 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe File created C:\Program Files\Windows NT\TableTextService\9e8d7a4ca61bd9 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe File created C:\Program Files\WindowsPowerShell\Modules\Idle.exe 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe File created C:\Program Files\WindowsPowerShell\Modules\6ccacd8608530f 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe -
Drops file in Windows directory 2 IoCs
Processes:
0bcf1a7b50ed4504fdaf2e11cea6aea7.exedescription ioc process File created C:\Windows\tracing\SearchApp.exe 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe File created C:\Windows\tracing\38384e6a620884 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1484 schtasks.exe 2412 schtasks.exe 5036 schtasks.exe 1260 schtasks.exe 1084 schtasks.exe 4588 schtasks.exe 4348 schtasks.exe 1656 schtasks.exe 4580 schtasks.exe 1080 schtasks.exe 2548 schtasks.exe 4708 schtasks.exe 1492 schtasks.exe 4668 schtasks.exe 4676 schtasks.exe 4616 schtasks.exe 704 schtasks.exe 1136 schtasks.exe 532 schtasks.exe 4252 schtasks.exe 1540 schtasks.exe 4384 schtasks.exe 4388 schtasks.exe 1296 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
0bcf1a7b50ed4504fdaf2e11cea6aea7.exeIdle.exechrome.exechrome.exechrome.exechrome.exepid process 4704 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe 4704 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe 4704 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe 4704 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe 4704 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe 4704 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe 4704 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe 2240 Idle.exe 2240 Idle.exe 2240 Idle.exe 2240 Idle.exe 2240 Idle.exe 2240 Idle.exe 2240 Idle.exe 2240 Idle.exe 2240 Idle.exe 4240 chrome.exe 4240 chrome.exe 1116 chrome.exe 1116 chrome.exe 4472 chrome.exe 4472 chrome.exe 3468 chrome.exe 3468 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Idle.exepid process 2240 Idle.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid process 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0bcf1a7b50ed4504fdaf2e11cea6aea7.exeIdle.exedescription pid process Token: SeDebugPrivilege 4704 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe Token: SeDebugPrivilege 2240 Idle.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
chrome.exepid process 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe 1116 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0bcf1a7b50ed4504fdaf2e11cea6aea7.exechrome.exedescription pid process target process PID 4704 wrote to memory of 2240 4704 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe Idle.exe PID 4704 wrote to memory of 2240 4704 0bcf1a7b50ed4504fdaf2e11cea6aea7.exe Idle.exe PID 1116 wrote to memory of 4744 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 4744 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 1084 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 4240 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 4240 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe PID 1116 wrote to memory of 3528 1116 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0bcf1a7b50ed4504fdaf2e11cea6aea7.exe"C:\Users\Admin\AppData\Local\Temp\0bcf1a7b50ed4504fdaf2e11cea6aea7.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\PrintHood\Idle.exe"C:\Users\Admin\PrintHood\Idle.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\odt\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\odt\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Modules\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\PrintHood\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\PrintHood\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\odt\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\odt\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\tracing\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\SearchApp.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\TableTextService\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff900ee4f50,0x7ff900ee4f60,0x7ff900ee4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1688 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2036 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2340 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4748 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4684 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4700 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4728 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5060 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5160 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4752 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4808 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1676,12647226161530749638,16077423498894006047,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\Idle.exeFilesize
2.3MB
MD50bcf1a7b50ed4504fdaf2e11cea6aea7
SHA13a7484b337392285c53212953c9cd9ca02c8070c
SHA256ae1688c122262eca8536d54c6bfcb14ce0181cadffa680600b6b9ed6f4cce0ae
SHA5128c3f614f1cb6d5c2d02013d2625af210096e33f56a3449321d4fee8b23f80eaab2a340af327316eb316d6d95099b6aa6bb82ea1b48d9409418ba603779ee1d97
-
C:\Users\Admin\PrintHood\Idle.exeFilesize
2.3MB
MD50bcf1a7b50ed4504fdaf2e11cea6aea7
SHA13a7484b337392285c53212953c9cd9ca02c8070c
SHA256ae1688c122262eca8536d54c6bfcb14ce0181cadffa680600b6b9ed6f4cce0ae
SHA5128c3f614f1cb6d5c2d02013d2625af210096e33f56a3449321d4fee8b23f80eaab2a340af327316eb316d6d95099b6aa6bb82ea1b48d9409418ba603779ee1d97
-
\??\pipe\crashpad_1116_GILJCICDXOETAROGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2240-136-0x0000000000000000-mapping.dmp
-
memory/2240-140-0x00007FF905BB0000-0x00007FF906671000-memory.dmpFilesize
10.8MB
-
memory/2240-141-0x00007FF905BB0000-0x00007FF906671000-memory.dmpFilesize
10.8MB
-
memory/4704-132-0x0000000000940000-0x0000000000B8E000-memory.dmpFilesize
2.3MB
-
memory/4704-133-0x00007FF905BB0000-0x00007FF906671000-memory.dmpFilesize
10.8MB
-
memory/4704-134-0x000000001B8C0000-0x000000001B910000-memory.dmpFilesize
320KB
-
memory/4704-135-0x000000001D5F0000-0x000000001DB18000-memory.dmpFilesize
5.2MB
-
memory/4704-139-0x00007FF905BB0000-0x00007FF906671000-memory.dmpFilesize
10.8MB