Analysis
-
max time kernel
131s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 23:41
Behavioral task
behavioral1
Sample
chainbrowserSession - Copie.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
chainbrowserSession - Copie.exe
Resource
win7-20240508-en
General
-
Target
chainbrowserSession - Copie.exe
-
Size
827KB
-
MD5
dcd1dbdf7c8bfb9263e5dda02b1bfa79
-
SHA1
0912a5fa7ac74c5e49d72a8a4d6957b063b1d31b
-
SHA256
3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae
-
SHA512
d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc
-
SSDEEP
12288:aAavWfeLpHbw89c1R66n20OHjNJWZtWDqEneSfIY9DyQpPt:RavZpHbw1R6PlTGqqERfFDyel
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 27 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2724 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2164 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2648 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3044 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2984 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 808 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2776 2824 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2824 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/2412-1-0x00000000000D0000-0x00000000001A6000-memory.dmp dcrat C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe dcrat behavioral2/memory/1288-29-0x0000000000CF0000-0x0000000000DC6000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 1288 csrss.exe -
Drops file in Program Files directory 9 IoCs
Processes:
chainbrowserSession - Copie.exedescription ioc process File created C:\Program Files\Microsoft Games\886983d96e3d3e chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\chainbrowserSession - Copie.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Internet Explorer\it-IT\ed46fb86cf7d8f chainbrowserSession - Copie.exe File created C:\Program Files\Microsoft Games\csrss.exe chainbrowserSession - Copie.exe File opened for modification C:\Program Files\Microsoft Games\csrss.exe chainbrowserSession - Copie.exe File created C:\Program Files\Windows NT\lsm.exe chainbrowserSession - Copie.exe File created C:\Program Files\Windows NT\101b941d020240 chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Portable Devices\dllhost.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Portable Devices\5940a34987c991 chainbrowserSession - Copie.exe -
Drops file in Windows directory 2 IoCs
Processes:
chainbrowserSession - Copie.exedescription ioc process File created C:\Windows\Tasks\sppsvc.exe chainbrowserSession - Copie.exe File created C:\Windows\Tasks\0a1fd5f707cd16 chainbrowserSession - Copie.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 27 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2164 schtasks.exe 2816 schtasks.exe 2772 schtasks.exe 1836 schtasks.exe 2744 schtasks.exe 2860 schtasks.exe 2724 schtasks.exe 2616 schtasks.exe 2500 schtasks.exe 2776 schtasks.exe 2000 schtasks.exe 2848 schtasks.exe 3044 schtasks.exe 1312 schtasks.exe 2656 schtasks.exe 1460 schtasks.exe 3020 schtasks.exe 2544 schtasks.exe 2984 schtasks.exe 2012 schtasks.exe 2792 schtasks.exe 2648 schtasks.exe 2612 schtasks.exe 1944 schtasks.exe 2688 schtasks.exe 1632 schtasks.exe 808 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
chainbrowserSession - Copie.execsrss.exechrome.exepid process 2412 chainbrowserSession - Copie.exe 2412 chainbrowserSession - Copie.exe 2412 chainbrowserSession - Copie.exe 1288 csrss.exe 1288 csrss.exe 1288 csrss.exe 1288 csrss.exe 1288 csrss.exe 1288 csrss.exe 1288 csrss.exe 1288 csrss.exe 1288 csrss.exe 2468 chrome.exe 2468 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
csrss.exepid process 1288 csrss.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chainbrowserSession - Copie.execsrss.exechrome.exedescription pid process Token: SeDebugPrivilege 2412 chainbrowserSession - Copie.exe Token: SeDebugPrivilege 1288 csrss.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe Token: SeShutdownPrivilege 2468 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
chrome.exepid process 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
chrome.exepid process 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe 2468 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chainbrowserSession - Copie.execmd.exechrome.exedescription pid process target process PID 2412 wrote to memory of 1560 2412 chainbrowserSession - Copie.exe cmd.exe PID 2412 wrote to memory of 1560 2412 chainbrowserSession - Copie.exe cmd.exe PID 2412 wrote to memory of 1560 2412 chainbrowserSession - Copie.exe cmd.exe PID 1560 wrote to memory of 1572 1560 cmd.exe w32tm.exe PID 1560 wrote to memory of 1572 1560 cmd.exe w32tm.exe PID 1560 wrote to memory of 1572 1560 cmd.exe w32tm.exe PID 1560 wrote to memory of 1288 1560 cmd.exe csrss.exe PID 1560 wrote to memory of 1288 1560 cmd.exe csrss.exe PID 1560 wrote to memory of 1288 1560 cmd.exe csrss.exe PID 2468 wrote to memory of 1960 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 1960 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 1960 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 2420 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 1592 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 1592 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 1592 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 688 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 688 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 688 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 688 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 688 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 688 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 688 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 688 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 688 2468 chrome.exe chrome.exe PID 2468 wrote to memory of 688 2468 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fYF326F7I1.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1572
-
-
C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe"C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainbrowserSession - Copiec" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\chainbrowserSession - Copie.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainbrowserSession - Copie" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\chainbrowserSession - Copie.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainbrowserSession - Copiec" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\chainbrowserSession - Copie.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef26b9758,0x7fef26b9768,0x7fef26b97782⤵PID:1960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1092 --field-trial-handle=1376,i,8150378986033054963,569101894322927145,131072 /prefetch:22⤵PID:2420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1432 --field-trial-handle=1376,i,8150378986033054963,569101894322927145,131072 /prefetch:82⤵PID:1592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1376,i,8150378986033054963,569101894322927145,131072 /prefetch:82⤵PID:688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2320 --field-trial-handle=1376,i,8150378986033054963,569101894322927145,131072 /prefetch:12⤵PID:2120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2328 --field-trial-handle=1376,i,8150378986033054963,569101894322927145,131072 /prefetch:12⤵PID:1432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1592 --field-trial-handle=1376,i,8150378986033054963,569101894322927145,131072 /prefetch:22⤵PID:2000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1320 --field-trial-handle=1376,i,8150378986033054963,569101894322927145,131072 /prefetch:12⤵PID:1772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1376,i,8150378986033054963,569101894322927145,131072 /prefetch:82⤵PID:2964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3384 --field-trial-handle=1376,i,8150378986033054963,569101894322927145,131072 /prefetch:82⤵PID:1600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3440 --field-trial-handle=1376,i,8150378986033054963,569101894322927145,131072 /prefetch:82⤵PID:532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2664 --field-trial-handle=1376,i,8150378986033054963,569101894322927145,131072 /prefetch:12⤵PID:992
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD5dcd1dbdf7c8bfb9263e5dda02b1bfa79
SHA10912a5fa7ac74c5e49d72a8a4d6957b063b1d31b
SHA2563fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae
SHA512d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
5KB
MD5cf486cde82841124d63af8e1b47f7450
SHA1624d873625dbe47b1df4de5ac8e40d1aed227d3f
SHA256a138a1d30323581008b7810593afaff7280a51d87259171e56432917dac5b91d
SHA512441b866e790ebd5da9e7dcc1e79962e84f0a2bff7da21703bdb498bcfe1d6705865276b5e90c6ec9adde1b92e304c3fca36459b6bd789b6faf5a777e396e69d6
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
223B
MD5d7691bded6ad1cbfd6d28e691d24510c
SHA1a410ca80250f1a7aa8c74cdd315579f7ea5271e2
SHA2566267516478ff331b2722d24bf402e4c84ef1be8b59f6ae9dc91ec7a4a3478db7
SHA5122cdd877a08fe1bbd08cf63d7007aa801612fb60105fdaf15a26192275edef10e6985a2a103ab12f4ca2084b2374969e14bf1c76b04ff253cb27555d1c574718d
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e