Analysis
-
max time kernel
1749s -
max time network
1799s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 18:34
Behavioral task
behavioral1
Sample
chainbrowserSession - Copie.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
chainbrowserSession - Copie.exe
Resource
win7-20231129-en
General
-
Target
chainbrowserSession - Copie.exe
-
Size
827KB
-
MD5
dcd1dbdf7c8bfb9263e5dda02b1bfa79
-
SHA1
0912a5fa7ac74c5e49d72a8a4d6957b063b1d31b
-
SHA256
3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae
-
SHA512
d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc
-
SSDEEP
12288:aAavWfeLpHbw89c1R66n20OHjNJWZtWDqEneSfIY9DyQpPt:RavZpHbw1R6PlTGqqERfFDyel
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2160 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2672 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2448 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2332 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2184 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1436 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2792 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2988 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 536 2988 schtasks.exe -
Processes:
resource yara_rule behavioral2/memory/2368-1-0x0000000001010000-0x00000000010E6000-memory.dmp dcrat C:\Users\Admin\Music\services.exe dcrat behavioral2/memory/948-35-0x00000000013E0000-0x00000000014B6000-memory.dmp dcrat behavioral2/memory/268-40-0x0000000000080000-0x0000000000156000-memory.dmp dcrat behavioral2/memory/2492-41-0x0000000000280000-0x0000000000356000-memory.dmp dcrat behavioral2/memory/2068-46-0x0000000000850000-0x0000000000926000-memory.dmp dcrat behavioral2/memory/2088-47-0x0000000001300000-0x00000000013D6000-memory.dmp dcrat behavioral2/memory/2776-51-0x0000000000830000-0x0000000000906000-memory.dmp dcrat behavioral2/memory/1032-54-0x00000000010D0000-0x00000000011A6000-memory.dmp dcrat behavioral2/memory/1532-59-0x00000000011A0000-0x0000000001276000-memory.dmp dcrat behavioral2/memory/972-60-0x0000000000A70000-0x0000000000B46000-memory.dmp dcrat behavioral2/memory/1556-63-0x0000000000DF0000-0x0000000000EC6000-memory.dmp dcrat behavioral2/memory/2420-68-0x00000000008D0000-0x00000000009A6000-memory.dmp dcrat behavioral2/memory/2824-69-0x0000000000390000-0x0000000000466000-memory.dmp dcrat behavioral2/memory/2440-72-0x00000000003B0000-0x0000000000486000-memory.dmp dcrat behavioral2/memory/1648-76-0x0000000000030000-0x0000000000106000-memory.dmp dcrat behavioral2/memory/1748-75-0x0000000000070000-0x0000000000146000-memory.dmp dcrat behavioral2/memory/836-83-0x0000000000F40000-0x0000000001016000-memory.dmp dcrat behavioral2/memory/188-85-0x0000000000B90000-0x0000000000C66000-memory.dmp dcrat behavioral2/memory/2236-87-0x00000000009E0000-0x0000000000AB6000-memory.dmp dcrat behavioral2/memory/2464-91-0x0000000001250000-0x0000000001326000-memory.dmp dcrat behavioral2/memory/1652-94-0x0000000000EF0000-0x0000000000FC6000-memory.dmp dcrat behavioral2/memory/2124-96-0x0000000001070000-0x0000000001146000-memory.dmp dcrat -
Executes dropped EXE 34 IoCs
Processes:
dllhost.exeIdle.exespoolsv.exesmss.exewinlogon.exedllhost.exeIdle.exespoolsv.exeaudiodg.execsrss.exesppsvc.exetaskhost.exedwm.exeservices.exeIdle.exespoolsv.exesmss.exewinlogon.exedllhost.exeIdle.exespoolsv.exesmss.execsrss.exesppsvc.exewinlogon.exeaudiodg.exeIdle.exespoolsv.exetaskhost.exedllhost.exeservices.exedwm.exespoolsv.exeIdle.exepid process 948 dllhost.exe 268 Idle.exe 2492 spoolsv.exe 2068 smss.exe 2088 winlogon.exe 2444 dllhost.exe 2580 Idle.exe 2776 spoolsv.exe 1032 audiodg.exe 972 csrss.exe 1532 sppsvc.exe 1556 taskhost.exe 2420 dwm.exe 2824 services.exe 1072 Idle.exe 2440 spoolsv.exe 1648 smss.exe 1748 winlogon.exe 376 dllhost.exe 1588 Idle.exe 1324 spoolsv.exe 2236 smss.exe 836 csrss.exe 2184 sppsvc.exe 188 winlogon.exe 468 audiodg.exe 1940 Idle.exe 2656 spoolsv.exe 2464 taskhost.exe 2004 dllhost.exe 1652 services.exe 2124 dwm.exe 2988 spoolsv.exe 1732 Idle.exe -
Drops file in System32 directory 1 IoCs
Processes:
chainbrowserSession - Copie.exedescription ioc process File created C:\Windows\SysWOW64\explorer.exe chainbrowserSession - Copie.exe -
Drops file in Program Files directory 11 IoCs
Processes:
chainbrowserSession - Copie.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\winlogon.exe chainbrowserSession - Copie.exe File created C:\Program Files\Windows NT\Accessories\ja-JP\f3b6ecef712a24 chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\42af1c969fbb7b chainbrowserSession - Copie.exe File created C:\Program Files\VideoLAN\VLC\winlogon.exe chainbrowserSession - Copie.exe File created C:\Program Files\VideoLAN\VLC\cc11b995f2a76d chainbrowserSession - Copie.exe File created C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\6ccacd8608530f chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe chainbrowserSession - Copie.exe File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\5940a34987c991 chainbrowserSession - Copie.exe -
Drops file in Windows directory 4 IoCs
Processes:
chainbrowserSession - Copie.exedescription ioc process File created C:\Windows\ehome\smss.exe chainbrowserSession - Copie.exe File created C:\Windows\ehome\69ddcba757bf72 chainbrowserSession - Copie.exe File created C:\Windows\ja-JP\csrss.exe chainbrowserSession - Copie.exe File created C:\Windows\ja-JP\886983d96e3d3e chainbrowserSession - Copie.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2780 schtasks.exe 1328 schtasks.exe 536 schtasks.exe 2160 schtasks.exe 2328 schtasks.exe 2788 schtasks.exe 2792 schtasks.exe 2556 schtasks.exe 2496 schtasks.exe 1960 schtasks.exe 2920 schtasks.exe 3048 schtasks.exe 1912 schtasks.exe 2816 schtasks.exe 2624 schtasks.exe 2300 schtasks.exe 2716 schtasks.exe 2560 schtasks.exe 1972 schtasks.exe 2184 schtasks.exe 1436 schtasks.exe 2672 schtasks.exe 2864 schtasks.exe 1748 schtasks.exe 2332 schtasks.exe 2288 schtasks.exe 3036 schtasks.exe 2580 schtasks.exe 2448 schtasks.exe 2948 schtasks.exe 1576 schtasks.exe 2636 schtasks.exe 2612 schtasks.exe 2492 schtasks.exe 1676 schtasks.exe 1652 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
chainbrowserSession - Copie.exedllhost.exepid process 2368 chainbrowserSession - Copie.exe 2368 chainbrowserSession - Copie.exe 2368 chainbrowserSession - Copie.exe 2368 chainbrowserSession - Copie.exe 2368 chainbrowserSession - Copie.exe 948 dllhost.exe 948 dllhost.exe 948 dllhost.exe 948 dllhost.exe 948 dllhost.exe 948 dllhost.exe 948 dllhost.exe 948 dllhost.exe 948 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
dllhost.exepid process 948 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
chainbrowserSession - Copie.exedllhost.exespoolsv.exeIdle.exesmss.exewinlogon.exedllhost.exespoolsv.exeIdle.exeaudiodg.exesppsvc.execsrss.exetaskhost.exedwm.exeservices.exeIdle.exespoolsv.exewinlogon.exesmss.exedllhost.exeIdle.exespoolsv.execsrss.exesppsvc.exesmss.exewinlogon.exeaudiodg.exeIdle.exespoolsv.exetaskhost.exedllhost.exedwm.exeservices.exespoolsv.exeIdle.exedescription pid process Token: SeDebugPrivilege 2368 chainbrowserSession - Copie.exe Token: SeDebugPrivilege 948 dllhost.exe Token: SeDebugPrivilege 2492 spoolsv.exe Token: SeDebugPrivilege 268 Idle.exe Token: SeDebugPrivilege 2068 smss.exe Token: SeDebugPrivilege 2088 winlogon.exe Token: SeDebugPrivilege 2444 dllhost.exe Token: SeDebugPrivilege 2776 spoolsv.exe Token: SeDebugPrivilege 2580 Idle.exe Token: SeDebugPrivilege 1032 audiodg.exe Token: SeDebugPrivilege 1532 sppsvc.exe Token: SeDebugPrivilege 972 csrss.exe Token: SeDebugPrivilege 1556 taskhost.exe Token: SeDebugPrivilege 2420 dwm.exe Token: SeDebugPrivilege 2824 services.exe Token: SeDebugPrivilege 1072 Idle.exe Token: SeDebugPrivilege 2440 spoolsv.exe Token: SeDebugPrivilege 1748 winlogon.exe Token: SeDebugPrivilege 1648 smss.exe Token: SeDebugPrivilege 376 dllhost.exe Token: SeDebugPrivilege 1588 Idle.exe Token: SeDebugPrivilege 1324 spoolsv.exe Token: SeDebugPrivilege 836 csrss.exe Token: SeDebugPrivilege 2184 sppsvc.exe Token: SeDebugPrivilege 2236 smss.exe Token: SeDebugPrivilege 188 winlogon.exe Token: SeDebugPrivilege 468 audiodg.exe Token: SeDebugPrivilege 1940 Idle.exe Token: SeDebugPrivilege 2656 spoolsv.exe Token: SeDebugPrivilege 2464 taskhost.exe Token: SeDebugPrivilege 2004 dllhost.exe Token: SeDebugPrivilege 2124 dwm.exe Token: SeDebugPrivilege 1652 services.exe Token: SeDebugPrivilege 2988 spoolsv.exe Token: SeDebugPrivilege 1732 Idle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chainbrowserSession - Copie.execmd.exetaskeng.exedescription pid process target process PID 2368 wrote to memory of 1332 2368 chainbrowserSession - Copie.exe cmd.exe PID 2368 wrote to memory of 1332 2368 chainbrowserSession - Copie.exe cmd.exe PID 2368 wrote to memory of 1332 2368 chainbrowserSession - Copie.exe cmd.exe PID 1332 wrote to memory of 956 1332 cmd.exe w32tm.exe PID 1332 wrote to memory of 956 1332 cmd.exe w32tm.exe PID 1332 wrote to memory of 956 1332 cmd.exe w32tm.exe PID 1332 wrote to memory of 948 1332 cmd.exe dllhost.exe PID 1332 wrote to memory of 948 1332 cmd.exe dllhost.exe PID 1332 wrote to memory of 948 1332 cmd.exe dllhost.exe PID 2280 wrote to memory of 268 2280 taskeng.exe Idle.exe PID 2280 wrote to memory of 268 2280 taskeng.exe Idle.exe PID 2280 wrote to memory of 268 2280 taskeng.exe Idle.exe PID 2280 wrote to memory of 2492 2280 taskeng.exe spoolsv.exe PID 2280 wrote to memory of 2492 2280 taskeng.exe spoolsv.exe PID 2280 wrote to memory of 2492 2280 taskeng.exe spoolsv.exe PID 2280 wrote to memory of 2068 2280 taskeng.exe smss.exe PID 2280 wrote to memory of 2068 2280 taskeng.exe smss.exe PID 2280 wrote to memory of 2068 2280 taskeng.exe smss.exe PID 2280 wrote to memory of 2088 2280 taskeng.exe winlogon.exe PID 2280 wrote to memory of 2088 2280 taskeng.exe winlogon.exe PID 2280 wrote to memory of 2088 2280 taskeng.exe winlogon.exe PID 2280 wrote to memory of 2444 2280 taskeng.exe dllhost.exe PID 2280 wrote to memory of 2444 2280 taskeng.exe dllhost.exe PID 2280 wrote to memory of 2444 2280 taskeng.exe dllhost.exe PID 2280 wrote to memory of 2580 2280 taskeng.exe Idle.exe PID 2280 wrote to memory of 2580 2280 taskeng.exe Idle.exe PID 2280 wrote to memory of 2580 2280 taskeng.exe Idle.exe PID 2280 wrote to memory of 2776 2280 taskeng.exe spoolsv.exe PID 2280 wrote to memory of 2776 2280 taskeng.exe spoolsv.exe PID 2280 wrote to memory of 2776 2280 taskeng.exe spoolsv.exe PID 2280 wrote to memory of 1032 2280 taskeng.exe audiodg.exe PID 2280 wrote to memory of 1032 2280 taskeng.exe audiodg.exe PID 2280 wrote to memory of 1032 2280 taskeng.exe audiodg.exe PID 2280 wrote to memory of 972 2280 taskeng.exe csrss.exe PID 2280 wrote to memory of 972 2280 taskeng.exe csrss.exe PID 2280 wrote to memory of 972 2280 taskeng.exe csrss.exe PID 2280 wrote to memory of 1532 2280 taskeng.exe sppsvc.exe PID 2280 wrote to memory of 1532 2280 taskeng.exe sppsvc.exe PID 2280 wrote to memory of 1532 2280 taskeng.exe sppsvc.exe PID 2280 wrote to memory of 1556 2280 taskeng.exe taskhost.exe PID 2280 wrote to memory of 1556 2280 taskeng.exe taskhost.exe PID 2280 wrote to memory of 1556 2280 taskeng.exe taskhost.exe PID 2280 wrote to memory of 2824 2280 taskeng.exe services.exe PID 2280 wrote to memory of 2824 2280 taskeng.exe services.exe PID 2280 wrote to memory of 2824 2280 taskeng.exe services.exe PID 2280 wrote to memory of 2420 2280 taskeng.exe dwm.exe PID 2280 wrote to memory of 2420 2280 taskeng.exe dwm.exe PID 2280 wrote to memory of 2420 2280 taskeng.exe dwm.exe PID 2280 wrote to memory of 1072 2280 taskeng.exe Idle.exe PID 2280 wrote to memory of 1072 2280 taskeng.exe Idle.exe PID 2280 wrote to memory of 1072 2280 taskeng.exe Idle.exe PID 2280 wrote to memory of 2440 2280 taskeng.exe spoolsv.exe PID 2280 wrote to memory of 2440 2280 taskeng.exe spoolsv.exe PID 2280 wrote to memory of 2440 2280 taskeng.exe spoolsv.exe PID 2280 wrote to memory of 1648 2280 taskeng.exe smss.exe PID 2280 wrote to memory of 1648 2280 taskeng.exe smss.exe PID 2280 wrote to memory of 1648 2280 taskeng.exe smss.exe PID 2280 wrote to memory of 1748 2280 taskeng.exe winlogon.exe PID 2280 wrote to memory of 1748 2280 taskeng.exe winlogon.exe PID 2280 wrote to memory of 1748 2280 taskeng.exe winlogon.exe PID 2280 wrote to memory of 376 2280 taskeng.exe dllhost.exe PID 2280 wrote to memory of 376 2280 taskeng.exe dllhost.exe PID 2280 wrote to memory of 376 2280 taskeng.exe dllhost.exe PID 2280 wrote to memory of 1588 2280 taskeng.exe Idle.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9wHWbohcCd.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:956
-
C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\ehome\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ehome\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536
-
C:\Windows\system32\taskeng.exetaskeng.exe {CA50A649-362A-49FA-9D70-BE734B971FD7} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:268 -
C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492 -
C:\Windows\ehome\smss.exeC:\Windows\ehome\smss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2068 -
C:\Program Files\VideoLAN\VLC\winlogon.exe"C:\Program Files\VideoLAN\VLC\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032 -
C:\Windows\ja-JP\csrss.exeC:\Windows\ja-JP\csrss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:972 -
C:\Users\Default User\sppsvc.exe"C:\Users\Default User\sppsvc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exeC:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Users\Admin\Music\services.exeC:\Users\Admin\Music\services.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2420 -
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1072 -
C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440 -
C:\Windows\ehome\smss.exeC:\Windows\ehome\smss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Program Files\VideoLAN\VLC\winlogon.exe"C:\Program Files\VideoLAN\VLC\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:376 -
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1324 -
C:\Windows\ja-JP\csrss.exeC:\Windows\ja-JP\csrss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:836 -
C:\Windows\ehome\smss.exeC:\Windows\ehome\smss.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Users\Default User\sppsvc.exe"C:\Users\Default User\sppsvc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2184 -
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:468 -
C:\Program Files\VideoLAN\VLC\winlogon.exe"C:\Program Files\VideoLAN\VLC\winlogon.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:188 -
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1940 -
C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656 -
C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exeC:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2004 -
C:\Users\Admin\Music\services.exeC:\Users\Admin\Music\services.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732 -
C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD56e4709f06c71fb60bd08754cee36454e
SHA1ca1dc0244cf519b483f3762a133b5cec266d5244
SHA2566d6e7e3b2a5202adb1aaa007f6dc5b40423c9192374d20354f9ea006f7d845cc
SHA5122a09bdea833b9ea0c3df454bfd78f8d14b86c644580eed6f3459eed78abc88b9100dc7e771b2f1ae41dcd5f7890bde789f123ed346acf8ccd79e651bb6e8d207
-
Filesize
827KB
MD5dcd1dbdf7c8bfb9263e5dda02b1bfa79
SHA10912a5fa7ac74c5e49d72a8a4d6957b063b1d31b
SHA2563fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae
SHA512d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc