badrabbit | hxxps://github[.]com/nbs32k/Petya2

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

EXCEL.EXEWINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exeEXCEL.EXEWINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133752099157741372"	chrome.exe

Modifies registry class 3 IoCs

Processes:

chrome.exemspaint.exemspaint.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	mspaint.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

Processes:

schtasks.exeschtasks.exe

pid	Process
316	schtasks.exe
1460	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 5 IoCs

Processes:

vlc.exeEXCEL.EXEWINWORD.EXEvlc.exe

pid	Process
3928	vlc.exe
3124	EXCEL.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
744	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exerundll32.exe7DDC.tmprundll32.exetaskmgr.exe

pid	Process
4752	chrome.exe
4752	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
1328	chrome.exe
2648	rundll32.exe
2648	rundll32.exe
2648	rundll32.exe
2648	rundll32.exe
2452	7DDC.tmp
2452	7DDC.tmp
2452	7DDC.tmp
2452	7DDC.tmp
2452	7DDC.tmp
2452	7DDC.tmp
2452	7DDC.tmp
3216	rundll32.exe
3216	rundll32.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

taskmgr.exevlc.exevlc.exe

pid	Process
4492	taskmgr.exe
3928	vlc.exe
744	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid	Process
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe
Token: SeShutdownPrivilege	4752	chrome.exe
Token: SeCreatePagefilePrivilege	4752	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	Process
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	Process
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4752	chrome.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe
4492	taskmgr.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

vlc.exemspaint.exeOpenWith.exeEXCEL.EXEmspaint.exeWINWORD.EXEmspaint.exeOpenWith.exevlc.exe

pid	Process
3928	vlc.exe
1832	mspaint.exe
744	OpenWith.exe
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
3124	EXCEL.EXE
1236	mspaint.exe
1236	mspaint.exe
1236	mspaint.exe
1236	mspaint.exe
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
4040	WINWORD.EXE
1900	mspaint.exe
4824	OpenWith.exe
744	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 4752 wrote to memory of 4468	4752	chrome.exe	84
PID 4752 wrote to memory of 4468	4752	chrome.exe	84
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 2920	4752	chrome.exe	85
PID 4752 wrote to memory of 4768	4752	chrome.exe	86
PID 4752 wrote to memory of 4768	4752	chrome.exe	86
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87
PID 4752 wrote to memory of 2840	4752	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/nbs32k/Petya2
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffccb00cc40,0x7ffccb00cc4c,0x7ffccb00cc58
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,13338577561615528439,1175701863103323347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,13338577561615528439,1175701863103323347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,13338577561615528439,1175701863103323347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2232 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,13338577561615528439,1175701863103323347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,13338577561615528439,1175701863103323347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4616,i,13338577561615528439,1175701863103323347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3688 /prefetch:8
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4920,i,13338577561615528439,1175701863103323347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5148,i,13338577561615528439,1175701863103323347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5308,i,13338577561615528439,1175701863103323347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5440,i,13338577561615528439,1175701863103323347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5484,i,13338577561615528439,1175701863103323347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5108,i,13338577561615528439,1175701863103323347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4792,i,13338577561615528439,1175701863103323347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1444,i,13338577561615528439,1175701863103323347,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:2820

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3460

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1456
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3984
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1148757064 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4236
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1148757064 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:316
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:26:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4340
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 16:26:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1460
- - C:\Windows\7DDC.tmp
    "C:\Windows\7DDC.tmp" \\.\pipe\{B34FD8ED-21E0-4717-8D31-9532F88C2682}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2452

C:\Users\Admin\Desktop\[email protected]
"C:\Users\Admin\Desktop\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2824
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3216

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\CompareMerge.otf
1⤵
PID:1148

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:4492

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\EditConvertTo.mid"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3928

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\CopyEnter.jpeg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3628

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:744

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\WaitEnable.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3124

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ExitRemove.ico"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1652

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\OutClose.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\My Wallpaper.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4824

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Music\EnableRestart.avi"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery