Analysis
-
max time kernel
151s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
18/11/2023, 03:36
Behavioral task
behavioral1
Sample
ed4e123b6451095714644fcf1367ba60.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
ed4e123b6451095714644fcf1367ba60.exe
Resource
win10v2004-20231020-en
General
-
Target
ed4e123b6451095714644fcf1367ba60.exe
-
Size
1.1MB
-
MD5
ed4e123b6451095714644fcf1367ba60
-
SHA1
12a24314c6d55271d040f3a62703f6669ef51b61
-
SHA256
b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7
-
SHA512
a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5
-
SSDEEP
24576:6ADdteLS1VO6wLVqq0aJSw69voIN7y7Di0:cE86MVX/SwHmf
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2864 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2528 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2668 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1836 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1760 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 592 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1180 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1320 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1136 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2892 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2080 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2276 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2384 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1496 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1932 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2924 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1764 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2396 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2928 2720 schtasks.exe 28 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2720 schtasks.exe 28 -
resource yara_rule behavioral1/memory/2212-0-0x0000000000FF0000-0x000000000111C000-memory.dmp dcrat behavioral1/files/0x0009000000016d1c-17.dat dcrat behavioral1/files/0x000500000000b1f2-128.dat dcrat behavioral1/files/0x000500000000b1f2-170.dat dcrat behavioral1/files/0x000500000000b1f2-171.dat dcrat behavioral1/memory/2236-173-0x00000000000D0000-0x00000000001FC000-memory.dmp dcrat behavioral1/memory/2236-177-0x000000001B0F0000-0x000000001B170000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
pid Process 2236 csrss.exe -
Drops file in Program Files directory 44 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\MSBuild\csrss.exe ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files\Windows Defender\en-US\Idle.exe ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\8f5eaa17b5ce4f ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\0a1fd5f707cd16 ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files\Windows Journal\en-US\csrss.exe ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\RCX35AE.tmp ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\Uninstall Information\RCX429C.tmp ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\Windows Mail\fr-FR\7a0fd90576e088 ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\Windows Photo Viewer\b75386f1303e64 ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\Windows Photo Viewer\es-ES\ed4e123b6451095714644fcf1367ba60.exe ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\Uninstall Information\audiodg.exe ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files\Windows Defender\en-US\6ccacd8608530f ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\Windows Photo Viewer\en-US\886983d96e3d3e ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\42af1c969fbb7b ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\RCXD6E.tmp ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\MSBuild\RCX22B7.tmp ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\MSBuild\csrss.exe ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\Uninstall Information\42af1c969fbb7b ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files\Windows Defender\en-US\RCX34C.tmp ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files\Windows Defender\en-US\Idle.exe ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\Microsoft.NET\69ddcba757bf72 ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX1185.tmp ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\ed4e123b6451095714644fcf1367ba60.exe ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\smss.exe ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files\Windows Journal\en-US\886983d96e3d3e ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\Microsoft.NET\smss.exe ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\RCX5FC.tmp ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files\Windows Journal\en-US\RCX24CB.tmp ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\RCX3A41.tmp ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files (x86)\MSBuild\886983d96e3d3e ed4e123b6451095714644fcf1367ba60.exe File created C:\Program Files\Windows Journal\en-US\csrss.exe ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\RCX4098.tmp ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\Uninstall Information\audiodg.exe ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\it-IT\RCX44A0.tmp ed4e123b6451095714644fcf1367ba60.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Downloaded Program Files\886983d96e3d3e ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Windows\Downloaded Program Files\RCX32FE.tmp ed4e123b6451095714644fcf1367ba60.exe File opened for modification C:\Windows\Downloaded Program Files\csrss.exe ed4e123b6451095714644fcf1367ba60.exe File created C:\Windows\Downloaded Program Files\csrss.exe ed4e123b6451095714644fcf1367ba60.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2132 schtasks.exe 2004 schtasks.exe 2564 schtasks.exe 380 schtasks.exe 1680 schtasks.exe 1136 schtasks.exe 2892 schtasks.exe 1784 schtasks.exe 2316 schtasks.exe 2520 schtasks.exe 1764 schtasks.exe 2428 schtasks.exe 2576 schtasks.exe 1552 schtasks.exe 1076 schtasks.exe 1252 schtasks.exe 1520 schtasks.exe 2276 schtasks.exe 2384 schtasks.exe 936 schtasks.exe 1932 schtasks.exe 2668 schtasks.exe 1164 schtasks.exe 1320 schtasks.exe 592 schtasks.exe 1156 schtasks.exe 2476 schtasks.exe 1924 schtasks.exe 2840 schtasks.exe 588 schtasks.exe 2040 schtasks.exe 2928 schtasks.exe 1760 schtasks.exe 1496 schtasks.exe 2924 schtasks.exe 2396 schtasks.exe 1836 schtasks.exe 2080 schtasks.exe 2320 schtasks.exe 1144 schtasks.exe 2060 schtasks.exe 2228 schtasks.exe 2728 schtasks.exe 2664 schtasks.exe 1180 schtasks.exe 2920 schtasks.exe 940 schtasks.exe 2312 schtasks.exe 2864 schtasks.exe 2528 schtasks.exe 888 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2212 ed4e123b6451095714644fcf1367ba60.exe 2212 ed4e123b6451095714644fcf1367ba60.exe 2212 ed4e123b6451095714644fcf1367ba60.exe 2212 ed4e123b6451095714644fcf1367ba60.exe 2212 ed4e123b6451095714644fcf1367ba60.exe 2212 ed4e123b6451095714644fcf1367ba60.exe 2212 ed4e123b6451095714644fcf1367ba60.exe 2212 ed4e123b6451095714644fcf1367ba60.exe 2212 ed4e123b6451095714644fcf1367ba60.exe 2236 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2212 ed4e123b6451095714644fcf1367ba60.exe Token: SeDebugPrivilege 2236 csrss.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2212 wrote to memory of 2940 2212 ed4e123b6451095714644fcf1367ba60.exe 82 PID 2212 wrote to memory of 2940 2212 ed4e123b6451095714644fcf1367ba60.exe 82 PID 2212 wrote to memory of 2940 2212 ed4e123b6451095714644fcf1367ba60.exe 82 PID 2940 wrote to memory of 2224 2940 cmd.exe 84 PID 2940 wrote to memory of 2224 2940 cmd.exe 84 PID 2940 wrote to memory of 2224 2940 cmd.exe 84 PID 2940 wrote to memory of 2236 2940 cmd.exe 85 PID 2940 wrote to memory of 2236 2940 cmd.exe 85 PID 2940 wrote to memory of 2236 2940 cmd.exe 85 PID 2236 wrote to memory of 2756 2236 csrss.exe 86 PID 2236 wrote to memory of 2756 2236 csrss.exe 86 PID 2236 wrote to memory of 2756 2236 csrss.exe 86 PID 2236 wrote to memory of 3064 2236 csrss.exe 87 PID 2236 wrote to memory of 3064 2236 csrss.exe 87 PID 2236 wrote to memory of 3064 2236 csrss.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe"C:\Users\Admin\AppData\Local\Temp\ed4e123b6451095714644fcf1367ba60.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NVPMa6E9xy.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:2224
-
-
C:\Windows\Downloaded Program Files\csrss.exe"C:\Windows\Downloaded Program Files\csrss.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\adb5acda-4392-4450-b1fb-447b4ec62c96.vbs"4⤵PID:2756
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3ede2f1-8cf1-4f24-abdc-3c62eac83f61.vbs"4⤵PID:3064
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\en-US\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\en-US\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\14fb2242-720d-11ee-be72-ec26920784ed\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\en-US\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ed4e123b6451095714644fcf1367ba60e" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\ed4e123b6451095714644fcf1367ba60.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ed4e123b6451095714644fcf1367ba60" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\ed4e123b6451095714644fcf1367ba60.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ed4e123b6451095714644fcf1367ba60e" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\es-ES\ed4e123b6451095714644fcf1367ba60.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5ed4e123b6451095714644fcf1367ba60
SHA112a24314c6d55271d040f3a62703f6669ef51b61
SHA256b957c6d107b4f671a489452761f99ce7ad7396e88f2d3f54310b44a39c87e9f7
SHA512a26e311a29ac440f8339a97ae825a7afd4368afd02f258d2865c5a8690e27619470d09a083d8309655c441f292c681510a3b79aa5802846fd8a83acf54d698c5
-
Filesize
210B
MD5b6554afedc2833bb17019201af391652
SHA1faaa9440317c3c92e8936a2d18ea2ef4dd1ef8eb
SHA256db97efc70672a57bda3846fd15ebd24b67098fe7f12b7c950036f9c9103585cf
SHA512eda4d2b4ec58a69078d00f5169cf3aee6913f2a5de031ab9335d4108688c7d263d33eabc2b3ab7ea818fd53dce3484b3089f48f861418f96e325b50a643dba60
-
Filesize
721B
MD5ecebf908eab583aa2b6ca52468c9ee36
SHA1cd00498ef15e80af1852873ed145121f52e57327
SHA2565d515b19ef36408b40526dcb34844998a6bac02349863171786ed7c90e344ebc
SHA512db6812ee19a7f9c388e256e8f1de7d48ab0117f6fe584a53fb5ae4eeb5b67425d4a674db08a351a450457c38076b8f04e403c1205cb5169be3a0a69031feca1d
-
Filesize
497B
MD5535af12e88d43767ed9e081862c7ae6f
SHA133ce9c98e61b7bcba3d3666662cdc179d9d994e5
SHA2563ec13780826df03ee7bb875b86d264e308333a835f4918b40f6de5f77105a7ea
SHA5128fd1e87f3b2293bb4e83dd2d86f68af8a8b242dfa5d1f2180c45ed43e3affb8754bf006c294e6ff1674274412f8f8498b0ed57d4fe6db81e125d40716ccc1891
-
Filesize
1.1MB
MD50ee3b7ae54ea1bca63b6590752c46300
SHA132655b45f632a676d9cdd721c6c3de90cd14d329
SHA2566496c6c2188a43073e94f2900c8db346718b3ace1aa19c42d8e8bd63a3a22bd0
SHA512188b561d32e06df461495c50b3e51f74ce51691d00a35723144961f7809608e19f9a30708a700bebc50e05474d7d13d5b1dea16d295cf9626287b07acf0c4e50
-
Filesize
1.1MB
MD50ee3b7ae54ea1bca63b6590752c46300
SHA132655b45f632a676d9cdd721c6c3de90cd14d329
SHA2566496c6c2188a43073e94f2900c8db346718b3ace1aa19c42d8e8bd63a3a22bd0
SHA512188b561d32e06df461495c50b3e51f74ce51691d00a35723144961f7809608e19f9a30708a700bebc50e05474d7d13d5b1dea16d295cf9626287b07acf0c4e50
-
Filesize
1.1MB
MD50ee3b7ae54ea1bca63b6590752c46300
SHA132655b45f632a676d9cdd721c6c3de90cd14d329
SHA2566496c6c2188a43073e94f2900c8db346718b3ace1aa19c42d8e8bd63a3a22bd0
SHA512188b561d32e06df461495c50b3e51f74ce51691d00a35723144961f7809608e19f9a30708a700bebc50e05474d7d13d5b1dea16d295cf9626287b07acf0c4e50