Analysis
-
max time kernel
88s -
max time network
88s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-01-2025 13:41
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3064 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 492 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1664 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3088 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4904 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3564 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4400 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4384 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 716 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3500 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4288 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2828 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3576 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 2464 schtasks.exe 81 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2464 schtasks.exe 81 -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
pid Process 3360 phy.exe 1704 Winver.exe 1676 phy.exe 3724 Winver.exe 1756 Winver.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe File created C:\Windows\SoftwareDistribution\Taskmgr.exe Winver.exe File opened for modification C:\Windows\SoftwareDistribution\Taskmgr.exe Winver.exe File created C:\Windows\SoftwareDistribution\cf2222726e2100 Winver.exe File created C:\Windows\SKB\LanguageModels\Idle.exe Winver.exe File created C:\Windows\SKB\LanguageModels\6ccacd8608530f Winver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133813357225820433" chrome.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings phy.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings phy.exe Key created \REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings Winver.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\123.txt:Zone.Identifier chrome.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 3920 NOTEPAD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 716 schtasks.exe 2552 schtasks.exe 492 schtasks.exe 4904 schtasks.exe 3564 schtasks.exe 4400 schtasks.exe 3088 schtasks.exe 4384 schtasks.exe 3500 schtasks.exe 3576 schtasks.exe 2384 schtasks.exe 4544 schtasks.exe 1892 schtasks.exe 2828 schtasks.exe 3064 schtasks.exe 1664 schtasks.exe 1396 schtasks.exe 4288 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3172 chrome.exe 3172 chrome.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe 1704 Winver.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3172 chrome.exe 3172 chrome.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeShutdownPrivilege 3172 chrome.exe Token: SeCreatePagefilePrivilege 3172 chrome.exe Token: SeDebugPrivilege 3416 taskmgr.exe Token: SeSystemProfilePrivilege 3416 taskmgr.exe Token: SeCreateGlobalPrivilege 3416 taskmgr.exe Token: SeDebugPrivilege 1704 Winver.exe Token: SeDebugPrivilege 3724 Winver.exe Token: SeDebugPrivilege 1756 Winver.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3172 chrome.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe 3416 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3172 wrote to memory of 2044 3172 chrome.exe 77 PID 3172 wrote to memory of 2044 3172 chrome.exe 77 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4688 3172 chrome.exe 78 PID 3172 wrote to memory of 4544 3172 chrome.exe 79 PID 3172 wrote to memory of 4544 3172 chrome.exe 79 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 PID 3172 wrote to memory of 1404 3172 chrome.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn1337.site/123.txt1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xd8,0x100,0x104,0xfc,0x108,0x7fffa458cc40,0x7fffa458cc4c,0x7fffa458cc582⤵PID:2044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,10458301223893005293,11526295402142121559,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=1808 /prefetch:22⤵PID:4688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2032,i,10458301223893005293,11526295402142121559,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=2096 /prefetch:32⤵PID:4544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,10458301223893005293,11526295402142121559,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=2376 /prefetch:82⤵PID:1404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3032,i,10458301223893005293,11526295402142121559,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=3060 /prefetch:12⤵PID:3340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,10458301223893005293,11526295402142121559,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=3116 /prefetch:12⤵PID:2524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4252,i,10458301223893005293,11526295402142121559,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4684 /prefetch:82⤵PID:4740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4416,i,10458301223893005293,11526295402142121559,262144 --variations-seed-version=20241007-050102.714000 --mojo-platform-channel-handle=4768 /prefetch:82⤵
- NTFS ADS
PID:4724
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\123.txt2⤵
- Opens file in notepad (likely ransom note)
PID:3920
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1236
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4816
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4664
-
C:\Users\Admin\Downloads\phy.exe"C:\Users\Admin\Downloads\phy.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3360 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ESD\9aaHDVpcxKfYtJqSuujTUaPokkSzlaj3bXCELnPfmUbbbzmgl5.vbe"2⤵
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ESD\r9FE9AzSI.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:4024 -
C:\ESD\Winver.exe"C:\ESD/Winver.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gzco3waf0I.bat"5⤵PID:2896
-
C:\Windows\system32\chcp.comchcp 650016⤵PID:2988
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2772
-
-
C:\ESD\Winver.exe"C:\ESD\Winver.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3724
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3416
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Pictures\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3088
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Pictures\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\SKB\LanguageModels\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\SKB\LanguageModels\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TaskmgrT" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\Taskmgr.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Taskmgr" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Taskmgr.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TaskmgrT" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\Taskmgr.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WinverW" /sc MINUTE /mo 14 /tr "'C:\ESD\Winver.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Winver" /sc ONLOGON /tr "'C:\ESD\Winver.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WinverW" /sc MINUTE /mo 7 /tr "'C:\ESD\Winver.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Users\Admin\Downloads\phy.exe"C:\Users\Admin\Downloads\phy.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ESD\9aaHDVpcxKfYtJqSuujTUaPokkSzlaj3bXCELnPfmUbbbzmgl5.vbe"2⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ESD\r9FE9AzSI.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\ESD\Winver.exe"C:\ESD/Winver.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
190B
MD5e652dbefdc14989c6c143840598688fc
SHA1f7f8bd9277540b5dfe61608f9cc294677c235d9c
SHA256931f80ee9a44026f30b6f243c4a4b77c344d1c039548ca29028822bc8608f80c
SHA51299bc14f9515b438bb9c530b5785ab45d49ebcae6cd2e6dc8ace02c7adacd34eae576318db901e059092e596b2592334eeaceb675e9f887caa9a1c1cfe55837ed
-
Filesize
1.8MB
MD5d4f263a3feebfe196d5eceb651c9ffb7
SHA1dde163a9747f48004ed85777ced25062b16c62d7
SHA256c91143795474ec192096650cddcacd5d4e0d46b384e8a56dab7ca029ac2a7d43
SHA512f933264ab7fe364946619938a6997566f583f69a8d75698da4ad77833ce9e4514153fc5d54477fd9e19ae12e5b7fe19bdbc2a2c17a51d53f3c632a48635aa967
-
Filesize
70B
MD549df7cd2be033c4b1f2de946daeb968b
SHA13c6fda5eda780f3f7016ebf969697b8f365d06fd
SHA2566a8c02efc7143f4ee54e6e13a10050b525d265e0b5fcad04510eeae61e6561cd
SHA512cc4bb5b8c22a65e4b2c6ffa1dfcaea0a97fd651aa6d39922b461ee33a95fbd3c11246808d416ad16f570a882f4d77bb2cc851421d39f4caf92155e28dc1e5b3b
-
Filesize
649B
MD547fae7d7c17f5f55a4d8339449bc5b81
SHA11cd9ceb756d5b4e5f03bc537c39708c91340b5fa
SHA256da511938613d1ce89590b0e18ef8152fec970818d5fb543ed4994911d5ec09a9
SHA51294293dbf3fe8c20011fecaedeec6d89fb357b2dfa42209f4d3ac2529c9bb12e9c1c1aa551e21baf2c9aaebcad9c3eba2b7a2103bf9da718310c414c4a590632c
-
Filesize
1KB
MD500bc98b716d1b45da15c9f3945ba8027
SHA16bfd4c222459b5cdca8e078caca1ed4efc375377
SHA256eb6343a48e6616174ff6e06495a9aa10b73a51ca3cf8f74d01f601cb287629cd
SHA51246d0832dec3475a245e682c228cf9eece19d1a3bce8ab585509231bdaae11a0e19f8b04f022a9739e56a711e586358922966e7e72e37b963707a63928d529540
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
524B
MD59d0d19bc0179b010a431a6fc12ed1da1
SHA13a9a9cbf1dda86c84219f06c2490558c7b344ee6
SHA2566e517741ffdf28d79d866bb6086e654fe51cbcbd8442015055f67a2b78b29af1
SHA512172e4844bf560128bc36e8bf8ee9bf41125b5eaf743a74a54394622bf725fcccc8b5649a51f0f4ce2c0ab1acda9900e69916e292ea08796e7f1fb18a5d9dd2ce
-
Filesize
9KB
MD547b1d2809beb111235266c098643f1c0
SHA1ab0ee7f404f705ea48c6313337d36a122f71e442
SHA256b7d8eb6f17f8893d9734c4ab01c68d886339c63083c993a287d242095739802b
SHA51268f3c00478443be2df1c1fdaa30a8929f1d32f6d1321cfd1b3ab14530451665e40ed58a1bd0d6a6739c25fe73af3fee8918fc1987a84ed668eefd61c090f63c0
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
228KB
MD55463f85244ccfce9f27c74148020f71a
SHA139ce7bee4df4bd3ffcb236df4d244729f445c826
SHA2563f9fac0527c3193c3bbadc71720107c93f6167b732d4235ed947bd84db298613
SHA5127881bca1c4e224afc4416371d1bbca829c27c1d93914b48d4d487e772e25f33e61596527e31cd606369abd5867c8fcfe7641990f62206a7bfd115994937112b8
-
Filesize
228KB
MD51743f095dc92c8c0ba6e94102b0021a3
SHA132ced13ed0cf757b954ff9164de7785886638638
SHA25621594383ae0d6db9fd8c7680917226e75dcc3a2972019146485bf0604dcbb3b7
SHA51218742408910b2ebf3335e4fff696265ea78ad09c790fde42f92f29cc6cbb9490d090adfab8bb0a1de78c9b2eb3b7c5472291a99b5a7487727a6402522a4d11c2
-
Filesize
1KB
MD51126a1de0a15000f1687b171641ffea6
SHA1dcc99b2446d05b8f0f970e3e9105198a20ca9e78
SHA256b886b6c74da838e87b2cbc539ee657a2817d126b55c0cbd6d1ab91480261bcc7
SHA5126cfb73ea43899ffa3cecd354cd76b0a1a67f57d9054c3e31cff43424491ed3bceae5aecd0f5c414ba92aab539eb7d55af3d40eedde80c9af8d34649bb1f8d4b4
-
Filesize
193B
MD5dcfe4e6286b58e897efc7aeb4fbc9c69
SHA1f1fd3b35dd564e2d492632a69f8d8ef1700a1f80
SHA256e43bc51fd8ead153cfa1052fde83fe5d118d472b4712d13233069699036b0b77
SHA512555d5619e4743f0568fc3a59e781b83c9ffe83f2b73c84aaddd8454c76e50f73da63375d96febe20f714e257f3c2f4677d866a8bc0b2f37e83b3c7e088f0fb00
-
Filesize
2.1MB
MD5261edf92e8d85c7a9f7151080ea80467
SHA1be7cba5291a89ccaed22bfb092a7651d34a36def
SHA256e21cfe74517aaaad37fd5b4825fa4eb97edc6c8daeb386e0cf562b5901f7fdeb
SHA512bec64fce5dc2a93edf16963236c975409ca4f40c8809e6a16661578d99ff0fd09178c0d7c293211f6da2419342e71e9532f17d6e455a5ef573326c4fa7fb7c8c
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98