Analysis
-
max time kernel
1759s -
max time network
1803s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
15-05-2024 18:34
Behavioral task
behavioral1
Sample
chainbrowserSession - Copie.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
chainbrowserSession - Copie.exe
Resource
win7-20231129-en
General
-
Target
chainbrowserSession - Copie.exe
-
Size
827KB
-
MD5
dcd1dbdf7c8bfb9263e5dda02b1bfa79
-
SHA1
0912a5fa7ac74c5e49d72a8a4d6957b063b1d31b
-
SHA256
3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae
-
SHA512
d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc
-
SSDEEP
12288:aAavWfeLpHbw89c1R66n20OHjNJWZtWDqEneSfIY9DyQpPt:RavZpHbw1R6PlTGqqERfFDyel
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1848 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 596 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4604 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3908 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4872 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 68 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4028 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3576 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 948 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1204 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2872 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 912 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4560 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3312 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 428 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4600 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4588 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1248 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2256 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4328 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3744 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 3736 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 3736 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/1452-1-0x0000000000E80000-0x0000000000F56000-memory.dmp dcrat C:\Program Files (x86)\Google\Update\csrss.exe dcrat -
Executes dropped EXE 25 IoCs
Processes:
InstallAgent.exeexplorer.exechainbrowserSession - Copie.exedllhost.exeApplicationFrameHost.exesihost.exeInstallAgent.exeRuntimeBroker.execsrss.exeexplorer.exechainbrowserSession - Copie.exedllhost.exeApplicationFrameHost.exesihost.exeInstallAgent.exeRuntimeBroker.exeexplorer.exechainbrowserSession - Copie.exedllhost.execsrss.exeexplorer.exeApplicationFrameHost.exesihost.exeInstallAgent.exeRuntimeBroker.exepid process 3708 InstallAgent.exe 4764 explorer.exe 2304 chainbrowserSession - Copie.exe 3360 dllhost.exe 1044 ApplicationFrameHost.exe 4480 sihost.exe 1992 InstallAgent.exe 3600 RuntimeBroker.exe 2040 csrss.exe 3780 explorer.exe 3308 chainbrowserSession - Copie.exe 2764 dllhost.exe 3232 ApplicationFrameHost.exe 1204 sihost.exe 1244 InstallAgent.exe 216 RuntimeBroker.exe 1536 explorer.exe 1824 chainbrowserSession - Copie.exe 3440 dllhost.exe 4460 csrss.exe 928 explorer.exe 1892 ApplicationFrameHost.exe 5104 sihost.exe 2036 InstallAgent.exe 680 RuntimeBroker.exe -
Drops file in Program Files directory 17 IoCs
Processes:
chainbrowserSession - Copie.exedescription ioc process File created C:\Program Files (x86)\Windows Media Player\es-ES\66fc9ff0ee96c2 chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Sidebar\InstallAgent.exe chainbrowserSession - Copie.exe File created C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Mail\ed46fb86cf7d8f chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Sidebar\200f98429d280b chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991 chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Google\Update\csrss.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Google\Update\886983d96e3d3e chainbrowserSession - Copie.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\InstallAgent.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chainbrowserSession - Copie.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\66fc9ff0ee96c2 chainbrowserSession - Copie.exe File created C:\Program Files\Internet Explorer\ja-JP\9e8d7a4ca61bd9 chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ed46fb86cf7d8f chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe chainbrowserSession - Copie.exe -
Drops file in Windows directory 4 IoCs
Processes:
chainbrowserSession - Copie.exedescription ioc process File created C:\Windows\INF\UGTHRSVC\0410\explorer.exe chainbrowserSession - Copie.exe File created C:\Windows\INF\UGTHRSVC\0410\7a0fd90576e088 chainbrowserSession - Copie.exe File created C:\Windows\LiveKernelReports\InstallAgent.exe chainbrowserSession - Copie.exe File created C:\Windows\LiveKernelReports\200f98429d280b chainbrowserSession - Copie.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 316 schtasks.exe 3908 schtasks.exe 912 schtasks.exe 2036 schtasks.exe 2216 schtasks.exe 596 schtasks.exe 3576 schtasks.exe 1204 schtasks.exe 4600 schtasks.exe 4588 schtasks.exe 1652 schtasks.exe 1848 schtasks.exe 4028 schtasks.exe 2872 schtasks.exe 3312 schtasks.exe 4880 schtasks.exe 68 schtasks.exe 4560 schtasks.exe 428 schtasks.exe 1248 schtasks.exe 2256 schtasks.exe 4328 schtasks.exe 2028 schtasks.exe 1384 schtasks.exe 4668 schtasks.exe 1156 schtasks.exe 3712 schtasks.exe 4612 schtasks.exe 4564 schtasks.exe 4604 schtasks.exe 4872 schtasks.exe 948 schtasks.exe 3744 schtasks.exe -
Modifies registry class 1 IoCs
Processes:
chainbrowserSession - Copie.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings chainbrowserSession - Copie.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
chainbrowserSession - Copie.exeInstallAgent.exepid process 1452 chainbrowserSession - Copie.exe 1452 chainbrowserSession - Copie.exe 1452 chainbrowserSession - Copie.exe 1452 chainbrowserSession - Copie.exe 1452 chainbrowserSession - Copie.exe 1452 chainbrowserSession - Copie.exe 3708 InstallAgent.exe 3708 InstallAgent.exe 3708 InstallAgent.exe 3708 InstallAgent.exe 3708 InstallAgent.exe 3708 InstallAgent.exe 3708 InstallAgent.exe 3708 InstallAgent.exe 3708 InstallAgent.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
InstallAgent.exepid process 3708 InstallAgent.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
Processes:
chainbrowserSession - Copie.exeInstallAgent.exeexplorer.exechainbrowserSession - Copie.exedllhost.exesihost.exeApplicationFrameHost.exeInstallAgent.exeRuntimeBroker.execsrss.exeexplorer.exechainbrowserSession - Copie.exedllhost.exeApplicationFrameHost.exesihost.exeInstallAgent.exeRuntimeBroker.exeexplorer.exechainbrowserSession - Copie.exedllhost.execsrss.exeexplorer.exeApplicationFrameHost.exesihost.exeInstallAgent.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 1452 chainbrowserSession - Copie.exe Token: SeDebugPrivilege 3708 InstallAgent.exe Token: SeDebugPrivilege 4764 explorer.exe Token: SeDebugPrivilege 2304 chainbrowserSession - Copie.exe Token: SeDebugPrivilege 3360 dllhost.exe Token: SeDebugPrivilege 4480 sihost.exe Token: SeDebugPrivilege 1044 ApplicationFrameHost.exe Token: SeDebugPrivilege 1992 InstallAgent.exe Token: SeDebugPrivilege 3600 RuntimeBroker.exe Token: SeDebugPrivilege 2040 csrss.exe Token: SeDebugPrivilege 3780 explorer.exe Token: SeDebugPrivilege 3308 chainbrowserSession - Copie.exe Token: SeDebugPrivilege 2764 dllhost.exe Token: SeDebugPrivilege 3232 ApplicationFrameHost.exe Token: SeDebugPrivilege 1204 sihost.exe Token: SeDebugPrivilege 1244 InstallAgent.exe Token: SeDebugPrivilege 216 RuntimeBroker.exe Token: SeDebugPrivilege 1536 explorer.exe Token: SeDebugPrivilege 1824 chainbrowserSession - Copie.exe Token: SeDebugPrivilege 3440 dllhost.exe Token: SeDebugPrivilege 4460 csrss.exe Token: SeDebugPrivilege 928 explorer.exe Token: SeDebugPrivilege 1892 ApplicationFrameHost.exe Token: SeDebugPrivilege 5104 sihost.exe Token: SeDebugPrivilege 2036 InstallAgent.exe Token: SeDebugPrivilege 680 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
chainbrowserSession - Copie.execmd.exedescription pid process target process PID 1452 wrote to memory of 1016 1452 chainbrowserSession - Copie.exe cmd.exe PID 1452 wrote to memory of 1016 1452 chainbrowserSession - Copie.exe cmd.exe PID 1016 wrote to memory of 5068 1016 cmd.exe w32tm.exe PID 1016 wrote to memory of 5068 1016 cmd.exe w32tm.exe PID 1016 wrote to memory of 3708 1016 cmd.exe InstallAgent.exe PID 1016 wrote to memory of 3708 1016 cmd.exe InstallAgent.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Do7QgDwaAc.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:5068
-
C:\Windows\LiveKernelReports\InstallAgent.exe"C:\Windows\LiveKernelReports\InstallAgent.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\InstallAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\InstallAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\InstallAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainbrowserSession - Copiec" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chainbrowserSession - Copie.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainbrowserSession - Copie" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chainbrowserSession - Copie.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainbrowserSession - Copiec" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chainbrowserSession - Copie.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:68
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainbrowserSession - Copiec" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainbrowserSession - Copie" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "chainbrowserSession - Copiec" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\INF\UGTHRSVC\0410\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\INF\UGTHRSVC\0410\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\INF\UGTHRSVC\0410\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\ApplicationFrameHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\ApplicationFrameHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\ApplicationFrameHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\InstallAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\InstallAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\InstallAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216
-
C:\Windows\INF\UGTHRSVC\0410\explorer.exeC:\Windows\INF\UGTHRSVC\0410\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4764
-
C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe"C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe"C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3360
-
C:\Users\All Users\Desktop\ApplicationFrameHost.exe"C:\Users\All Users\Desktop\ApplicationFrameHost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1044
-
C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe"C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4480
-
C:\Windows\LiveKernelReports\InstallAgent.exeC:\Windows\LiveKernelReports\InstallAgent.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
C:\Program Files (x86)\Google\Update\csrss.exe"C:\Program Files (x86)\Google\Update\csrss.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
C:\Windows\INF\UGTHRSVC\0410\explorer.exeC:\Windows\INF\UGTHRSVC\0410\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780
-
C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe"C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3308
-
C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe"C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
C:\Users\All Users\Desktop\ApplicationFrameHost.exe"C:\Users\All Users\Desktop\ApplicationFrameHost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe"C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1204
-
C:\Windows\LiveKernelReports\InstallAgent.exeC:\Windows\LiveKernelReports\InstallAgent.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216
-
C:\Windows\INF\UGTHRSVC\0410\explorer.exeC:\Windows\INF\UGTHRSVC\0410\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1536
-
C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe"C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe"C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3440
-
C:\Program Files (x86)\Google\Update\csrss.exe"C:\Program Files (x86)\Google\Update\csrss.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
C:\Windows\INF\UGTHRSVC\0410\explorer.exeC:\Windows\INF\UGTHRSVC\0410\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:928
-
C:\Users\All Users\Desktop\ApplicationFrameHost.exe"C:\Users\All Users\Desktop\ApplicationFrameHost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe"C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
C:\Windows\LiveKernelReports\InstallAgent.exeC:\Windows\LiveKernelReports\InstallAgent.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
827KB
MD5dcd1dbdf7c8bfb9263e5dda02b1bfa79
SHA10912a5fa7ac74c5e49d72a8a4d6957b063b1d31b
SHA2563fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae
SHA512d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc
-
Filesize
1KB
MD5d63ff49d7c92016feb39812e4db10419
SHA12307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA51200f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a
-
Filesize
1KB
MD5b4268d8ae66fdd920476b97a1776bf85
SHA1f920de54f7467f0970eccc053d3c6c8dd181d49a
SHA25661d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879
SHA51203b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516
-
Filesize
210B
MD5cc830f6f7886c85fc4c1a90be8584dcd
SHA1670e394a20f607f56ae65efd1dc4989b109d863c
SHA25686b75e1835dc9a52fc6a0a0d83d83636356f5277d8e775ad723af721d244fd19
SHA512483f94b735d75b397b6aeda49fdf05d625019ab93b54e719d8527be61ca0c19d7c3845130b3e1dba6bcdda9bc3667a98f0d46f3fd4fda68fbe6ddb8146540cc7