Malware Analysis Report

2024-11-13 13:43

Sample ID 240515-w75y4sdg6t
Target chainbrowserSession - Copie.exe
SHA256 3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae

Threat Level: Known bad

The file chainbrowserSession - Copie.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Process spawned unexpected child process

Dcrat family

DCRat payload

DcRat

DCRat payload

Executes dropped EXE

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 18:34

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 18:34

Reported

2024-05-15 19:18

Platform

win10-20240404-en

Max time kernel

1759s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\LiveKernelReports\InstallAgent.exe N/A
N/A N/A C:\Windows\INF\UGTHRSVC\0410\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe N/A
N/A N/A C:\Users\All Users\Desktop\ApplicationFrameHost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe N/A
N/A N/A C:\Windows\LiveKernelReports\InstallAgent.exe N/A
N/A N/A C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\csrss.exe N/A
N/A N/A C:\Windows\INF\UGTHRSVC\0410\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe N/A
N/A N/A C:\Users\All Users\Desktop\ApplicationFrameHost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe N/A
N/A N/A C:\Windows\LiveKernelReports\InstallAgent.exe N/A
N/A N/A C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe N/A
N/A N/A C:\Windows\INF\UGTHRSVC\0410\explorer.exe N/A
N/A N/A C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe N/A
N/A N/A C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Google\Update\csrss.exe N/A
N/A N/A C:\Windows\INF\UGTHRSVC\0410\explorer.exe N/A
N/A N/A C:\Users\All Users\Desktop\ApplicationFrameHost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe N/A
N/A N/A C:\Windows\LiveKernelReports\InstallAgent.exe N/A
N/A N/A C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\es-ES\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\InstallAgent.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Windows Mail\ed46fb86cf7d8f C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\200f98429d280b C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Google\Update\csrss.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Google\Update\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\InstallAgent.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chainbrowserSession - Copie.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\66fc9ff0ee96c2 C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files\Internet Explorer\ja-JP\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ed46fb86cf7d8f C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\UGTHRSVC\0410\explorer.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Windows\INF\UGTHRSVC\0410\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Windows\LiveKernelReports\InstallAgent.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Windows\LiveKernelReports\200f98429d280b C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\LiveKernelReports\InstallAgent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\LiveKernelReports\InstallAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\UGTHRSVC\0410\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Desktop\ApplicationFrameHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\LiveKernelReports\InstallAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Google\Update\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\UGTHRSVC\0410\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Desktop\ApplicationFrameHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\LiveKernelReports\InstallAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\UGTHRSVC\0410\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Google\Update\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\INF\UGTHRSVC\0410\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Desktop\ApplicationFrameHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\LiveKernelReports\InstallAgent.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe

"C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\InstallAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\InstallAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\InstallAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "chainbrowserSession - Copiec" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chainbrowserSession - Copie.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "chainbrowserSession - Copie" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chainbrowserSession - Copie.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "chainbrowserSession - Copiec" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chainbrowserSession - Copie.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "chainbrowserSession - Copiec" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "chainbrowserSession - Copie" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "chainbrowserSession - Copiec" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\INF\UGTHRSVC\0410\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\INF\UGTHRSVC\0410\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\INF\UGTHRSVC\0410\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\ApplicationFrameHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\ApplicationFrameHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\ApplicationFrameHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\InstallAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "InstallAgent" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\InstallAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "InstallAgentI" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\InstallAgent.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Do7QgDwaAc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\LiveKernelReports\InstallAgent.exe

"C:\Windows\LiveKernelReports\InstallAgent.exe"

C:\Windows\INF\UGTHRSVC\0410\explorer.exe

C:\Windows\INF\UGTHRSVC\0410\explorer.exe

C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe

"C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe"

C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe

"C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe"

C:\Users\All Users\Desktop\ApplicationFrameHost.exe

"C:\Users\All Users\Desktop\ApplicationFrameHost.exe"

C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe

"C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe"

C:\Windows\LiveKernelReports\InstallAgent.exe

C:\Windows\LiveKernelReports\InstallAgent.exe

C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe

"C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"

C:\Program Files (x86)\Google\Update\csrss.exe

"C:\Program Files (x86)\Google\Update\csrss.exe"

C:\Windows\INF\UGTHRSVC\0410\explorer.exe

C:\Windows\INF\UGTHRSVC\0410\explorer.exe

C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe

"C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe"

C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe

"C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe"

C:\Users\All Users\Desktop\ApplicationFrameHost.exe

"C:\Users\All Users\Desktop\ApplicationFrameHost.exe"

C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe

"C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe"

C:\Windows\LiveKernelReports\InstallAgent.exe

C:\Windows\LiveKernelReports\InstallAgent.exe

C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe

"C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"

C:\Windows\INF\UGTHRSVC\0410\explorer.exe

C:\Windows\INF\UGTHRSVC\0410\explorer.exe

C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe

"C:\Program Files (x86)\Windows Mail\chainbrowserSession - Copie.exe"

C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe

"C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe"

C:\Program Files (x86)\Google\Update\csrss.exe

"C:\Program Files (x86)\Google\Update\csrss.exe"

C:\Windows\INF\UGTHRSVC\0410\explorer.exe

C:\Windows\INF\UGTHRSVC\0410\explorer.exe

C:\Users\All Users\Desktop\ApplicationFrameHost.exe

"C:\Users\All Users\Desktop\ApplicationFrameHost.exe"

C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe

"C:\Program Files (x86)\Windows Media Player\es-ES\sihost.exe"

C:\Windows\LiveKernelReports\InstallAgent.exe

C:\Windows\LiveKernelReports\InstallAgent.exe

C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe

"C:\Program Files\Internet Explorer\ja-JP\RuntimeBroker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0982800.xsph.ru udp
RU 141.8.192.126:80 a0982800.xsph.ru tcp
RU 141.8.192.126:80 a0982800.xsph.ru tcp
US 8.8.8.8:53 126.192.8.141.in-addr.arpa udp
RU 141.8.192.126:80 a0982800.xsph.ru tcp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 141.8.192.126:80 a0982800.xsph.ru tcp
RU 141.8.192.126:80 a0982800.xsph.ru tcp
RU 141.8.192.126:80 a0982800.xsph.ru tcp

Files

memory/1452-0-0x00007FFD9C953000-0x00007FFD9C954000-memory.dmp

memory/1452-1-0x0000000000E80000-0x0000000000F56000-memory.dmp

memory/1452-4-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

C:\Program Files (x86)\Google\Update\csrss.exe

MD5 dcd1dbdf7c8bfb9263e5dda02b1bfa79
SHA1 0912a5fa7ac74c5e49d72a8a4d6957b063b1d31b
SHA256 3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae
SHA512 d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc

C:\Users\Admin\AppData\Local\Temp\Do7QgDwaAc.bat

MD5 cc830f6f7886c85fc4c1a90be8584dcd
SHA1 670e394a20f607f56ae65efd1dc4989b109d863c
SHA256 86b75e1835dc9a52fc6a0a0d83d83636356f5277d8e775ad723af721d244fd19
SHA512 483f94b735d75b397b6aeda49fdf05d625019ab93b54e719d8527be61ca0c19d7c3845130b3e1dba6bcdda9bc3667a98f0d46f3fd4fda68fbe6ddb8146540cc7

memory/1452-31-0x00007FFD9C950000-0x00007FFD9D33C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainbrowserSession - Copie.exe.log

MD5 b4268d8ae66fdd920476b97a1776bf85
SHA1 f920de54f7467f0970eccc053d3c6c8dd181d49a
SHA256 61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879
SHA512 03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\InstallAgent.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 18:34

Reported

2024-05-15 19:18

Platform

win7-20231129-en

Max time kernel

1749s

Max time network

1799s

Command Line

"C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe N/A
N/A N/A C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe N/A
N/A N/A C:\Windows\ehome\smss.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe N/A
N/A N/A C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe N/A
N/A N/A C:\Windows\ja-JP\csrss.exe N/A
N/A N/A C:\Users\Default User\sppsvc.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe N/A
N/A N/A C:\Users\Admin\Music\services.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe N/A
N/A N/A C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe N/A
N/A N/A C:\Windows\ehome\smss.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe N/A
N/A N/A C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe N/A
N/A N/A C:\Windows\ehome\smss.exe N/A
N/A N/A C:\Windows\ja-JP\csrss.exe N/A
N/A N/A C:\Users\Default User\sppsvc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\winlogon.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe N/A
N/A N/A C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe N/A
N/A N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe N/A
N/A N/A C:\Users\Admin\Music\services.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe N/A
N/A N/A C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\explorer.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\winlogon.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files\Windows NT\Accessories\ja-JP\f3b6ecef712a24 C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\42af1c969fbb7b C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files\VideoLAN\VLC\winlogon.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files\VideoLAN\VLC\cc11b995f2a76d C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\6ccacd8608530f C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\5940a34987c991 C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ehome\smss.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Windows\ehome\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Windows\ja-JP\csrss.exe C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
File created C:\Windows\ja-JP\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\VideoLAN\VLC\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ja-JP\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\VideoLAN\VLC\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ja-JP\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default User\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\ehome\smss.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\VideoLAN\VLC\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Music\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe C:\Windows\System32\cmd.exe
PID 2368 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe C:\Windows\System32\cmd.exe
PID 2368 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe C:\Windows\System32\cmd.exe
PID 1332 wrote to memory of 956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1332 wrote to memory of 956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1332 wrote to memory of 956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1332 wrote to memory of 948 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe
PID 1332 wrote to memory of 948 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe
PID 1332 wrote to memory of 948 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe
PID 2280 wrote to memory of 268 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
PID 2280 wrote to memory of 268 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
PID 2280 wrote to memory of 268 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
PID 2280 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
PID 2280 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
PID 2280 wrote to memory of 2492 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
PID 2280 wrote to memory of 2068 N/A C:\Windows\system32\taskeng.exe C:\Windows\ehome\smss.exe
PID 2280 wrote to memory of 2068 N/A C:\Windows\system32\taskeng.exe C:\Windows\ehome\smss.exe
PID 2280 wrote to memory of 2068 N/A C:\Windows\system32\taskeng.exe C:\Windows\ehome\smss.exe
PID 2280 wrote to memory of 2088 N/A C:\Windows\system32\taskeng.exe C:\Program Files\VideoLAN\VLC\winlogon.exe
PID 2280 wrote to memory of 2088 N/A C:\Windows\system32\taskeng.exe C:\Program Files\VideoLAN\VLC\winlogon.exe
PID 2280 wrote to memory of 2088 N/A C:\Windows\system32\taskeng.exe C:\Program Files\VideoLAN\VLC\winlogon.exe
PID 2280 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe
PID 2280 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe
PID 2280 wrote to memory of 2444 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe
PID 2280 wrote to memory of 2580 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
PID 2280 wrote to memory of 2580 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
PID 2280 wrote to memory of 2580 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
PID 2280 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
PID 2280 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
PID 2280 wrote to memory of 2776 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
PID 2280 wrote to memory of 1032 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe
PID 2280 wrote to memory of 1032 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe
PID 2280 wrote to memory of 1032 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe
PID 2280 wrote to memory of 972 N/A C:\Windows\system32\taskeng.exe C:\Windows\ja-JP\csrss.exe
PID 2280 wrote to memory of 972 N/A C:\Windows\system32\taskeng.exe C:\Windows\ja-JP\csrss.exe
PID 2280 wrote to memory of 972 N/A C:\Windows\system32\taskeng.exe C:\Windows\ja-JP\csrss.exe
PID 2280 wrote to memory of 1532 N/A C:\Windows\system32\taskeng.exe C:\Users\Default User\sppsvc.exe
PID 2280 wrote to memory of 1532 N/A C:\Windows\system32\taskeng.exe C:\Users\Default User\sppsvc.exe
PID 2280 wrote to memory of 1532 N/A C:\Windows\system32\taskeng.exe C:\Users\Default User\sppsvc.exe
PID 2280 wrote to memory of 1556 N/A C:\Windows\system32\taskeng.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe
PID 2280 wrote to memory of 1556 N/A C:\Windows\system32\taskeng.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe
PID 2280 wrote to memory of 1556 N/A C:\Windows\system32\taskeng.exe C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe
PID 2280 wrote to memory of 2824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\Music\services.exe
PID 2280 wrote to memory of 2824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\Music\services.exe
PID 2280 wrote to memory of 2824 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\Music\services.exe
PID 2280 wrote to memory of 2420 N/A C:\Windows\system32\taskeng.exe C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe
PID 2280 wrote to memory of 2420 N/A C:\Windows\system32\taskeng.exe C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe
PID 2280 wrote to memory of 2420 N/A C:\Windows\system32\taskeng.exe C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe
PID 2280 wrote to memory of 1072 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
PID 2280 wrote to memory of 1072 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
PID 2280 wrote to memory of 1072 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe
PID 2280 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
PID 2280 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
PID 2280 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe
PID 2280 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Windows\ehome\smss.exe
PID 2280 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Windows\ehome\smss.exe
PID 2280 wrote to memory of 1648 N/A C:\Windows\system32\taskeng.exe C:\Windows\ehome\smss.exe
PID 2280 wrote to memory of 1748 N/A C:\Windows\system32\taskeng.exe C:\Program Files\VideoLAN\VLC\winlogon.exe
PID 2280 wrote to memory of 1748 N/A C:\Windows\system32\taskeng.exe C:\Program Files\VideoLAN\VLC\winlogon.exe
PID 2280 wrote to memory of 1748 N/A C:\Windows\system32\taskeng.exe C:\Program Files\VideoLAN\VLC\winlogon.exe
PID 2280 wrote to memory of 376 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe
PID 2280 wrote to memory of 376 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe
PID 2280 wrote to memory of 376 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe
PID 2280 wrote to memory of 1588 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe

"C:\Users\Admin\AppData\Local\Temp\chainbrowserSession - Copie.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Music\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Local Settings\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\ehome\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ehome\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9wHWbohcCd.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe

"C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {CA50A649-362A-49FA-9D70-BE734B971FD7} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe

"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"

C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe

"C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"

C:\Windows\ehome\smss.exe

C:\Windows\ehome\smss.exe

C:\Program Files\VideoLAN\VLC\winlogon.exe

"C:\Program Files\VideoLAN\VLC\winlogon.exe"

C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe

"C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"

C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe

"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"

C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe

"C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe

"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe"

C:\Windows\ja-JP\csrss.exe

C:\Windows\ja-JP\csrss.exe

C:\Users\Default User\sppsvc.exe

"C:\Users\Default User\sppsvc.exe"

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe

C:\Users\Admin\Music\services.exe

C:\Users\Admin\Music\services.exe

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe"

C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe

"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"

C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe

"C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"

C:\Windows\ehome\smss.exe

C:\Windows\ehome\smss.exe

C:\Program Files\VideoLAN\VLC\winlogon.exe

"C:\Program Files\VideoLAN\VLC\winlogon.exe"

C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe

"C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"

C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe

"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"

C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe

"C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"

C:\Windows\ja-JP\csrss.exe

C:\Windows\ja-JP\csrss.exe

C:\Windows\ehome\smss.exe

C:\Windows\ehome\smss.exe

C:\Users\Default User\sppsvc.exe

"C:\Users\Default User\sppsvc.exe"

C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe

"C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\audiodg.exe"

C:\Program Files\VideoLAN\VLC\winlogon.exe

"C:\Program Files\VideoLAN\VLC\winlogon.exe"

C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe

"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"

C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe

"C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe

C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\taskhost.exe

C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe

"C:\Program Files (x86)\Windows Photo Viewer\de-DE\dllhost.exe"

C:\Users\Admin\Music\services.exe

C:\Users\Admin\Music\services.exe

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe

"C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\dwm.exe"

C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe

"C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\Idle.exe"

C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe

"C:\Program Files\Windows NT\Accessories\ja-JP\spoolsv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0982800.xsph.ru udp
RU 141.8.192.126:80 a0982800.xsph.ru tcp
RU 141.8.192.126:80 a0982800.xsph.ru tcp
RU 141.8.192.126:80 a0982800.xsph.ru tcp
RU 141.8.192.126:80 a0982800.xsph.ru tcp
RU 141.8.192.126:80 a0982800.xsph.ru tcp
RU 141.8.192.126:80 a0982800.xsph.ru tcp

Files

memory/2368-0-0x000007FEF5AD3000-0x000007FEF5AD4000-memory.dmp

memory/2368-1-0x0000000001010000-0x00000000010E6000-memory.dmp

memory/2368-2-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

C:\Users\Admin\Music\services.exe

MD5 dcd1dbdf7c8bfb9263e5dda02b1bfa79
SHA1 0912a5fa7ac74c5e49d72a8a4d6957b063b1d31b
SHA256 3fe6c89a0fdadaf3172be13af4fad92f5f3e08c3bde723c8b6957ac68a3503ae
SHA512 d368e5f91365af67e46514425e13323f0ad2181d5fc1e790b2b5d17e9cf8c91f46bdf582550517f703b8232f6bd59598b37a41cd637f2d9c192317e8f0134ccc

C:\Users\Admin\AppData\Local\Temp\9wHWbohcCd.bat

MD5 6e4709f06c71fb60bd08754cee36454e
SHA1 ca1dc0244cf519b483f3762a133b5cec266d5244
SHA256 6d6e7e3b2a5202adb1aaa007f6dc5b40423c9192374d20354f9ea006f7d845cc
SHA512 2a09bdea833b9ea0c3df454bfd78f8d14b86c644580eed6f3459eed78abc88b9100dc7e771b2f1ae41dcd5f7890bde789f123ed346acf8ccd79e651bb6e8d207

memory/2368-32-0x000007FEF5AD0000-0x000007FEF64BC000-memory.dmp

memory/948-35-0x00000000013E0000-0x00000000014B6000-memory.dmp

memory/268-40-0x0000000000080000-0x0000000000156000-memory.dmp

memory/2492-41-0x0000000000280000-0x0000000000356000-memory.dmp

memory/2068-46-0x0000000000850000-0x0000000000926000-memory.dmp

memory/2088-47-0x0000000001300000-0x00000000013D6000-memory.dmp

memory/2776-51-0x0000000000830000-0x0000000000906000-memory.dmp

memory/1032-54-0x00000000010D0000-0x00000000011A6000-memory.dmp

memory/1532-59-0x00000000011A0000-0x0000000001276000-memory.dmp

memory/972-60-0x0000000000A70000-0x0000000000B46000-memory.dmp

memory/1556-63-0x0000000000DF0000-0x0000000000EC6000-memory.dmp

memory/2420-68-0x00000000008D0000-0x00000000009A6000-memory.dmp

memory/2824-69-0x0000000000390000-0x0000000000466000-memory.dmp

memory/2440-72-0x00000000003B0000-0x0000000000486000-memory.dmp

memory/1648-76-0x0000000000030000-0x0000000000106000-memory.dmp

memory/1748-75-0x0000000000070000-0x0000000000146000-memory.dmp

memory/836-83-0x0000000000F40000-0x0000000001016000-memory.dmp

memory/188-85-0x0000000000B90000-0x0000000000C66000-memory.dmp

memory/2236-87-0x00000000009E0000-0x0000000000AB6000-memory.dmp

memory/2464-91-0x0000000001250000-0x0000000001326000-memory.dmp

memory/1652-94-0x0000000000EF0000-0x0000000000FC6000-memory.dmp

memory/2124-96-0x0000000001070000-0x0000000001146000-memory.dmp