Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 07:57
Behavioral task
behavioral1
Sample
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe
Resource
win10v2004-20240426-en
General
-
Target
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe
-
Size
829KB
-
MD5
28b77e68b269756ba427c8d30deef9de
-
SHA1
815371ee33e46a6b1a1257b6e01bbaf46ce8d0f5
-
SHA256
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e
-
SHA512
23488adba74b5c22bca70c2b307020b00696eafc37041bd4a578227d2d4ac6c5ac5f1b107159ea9a15ff08fb865409e06164649a1a2b584fb5bc0b8186b73554
-
SSDEEP
24576:REKNonGb2iV7XQyzP9miug5/JXqY/0u0DT:REK+nC7dmzg5Mu0
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 57 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2560 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2608 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2680 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2552 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2412 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2532 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1572 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1044 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2720 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 312 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1464 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1280 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2320 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2016 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1880 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2008 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1604 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1872 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1964 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 488 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 580 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2780 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 584 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1312 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 820 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 864 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1712 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1316 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 560 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 924 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2132 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1448 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1644 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2292 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 804 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2252 2612 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 2612 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/1680-1-0x0000000000F50000-0x0000000001026000-memory.dmp dcrat C:\MSOCache\All Users\wininit.exe dcrat behavioral1/memory/2568-49-0x00000000001A0000-0x0000000000276000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
smss.exepid process 2568 smss.exe -
Drops file in System32 directory 2 IoCs
Processes:
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exedescription ioc process File created C:\Windows\SysWOW64\com\it-IT\explorer.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Windows\SysWOW64\com\it-IT\7a0fd90576e088 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe -
Drops file in Program Files directory 12 IoCs
Processes:
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exedescription ioc process File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\42af1c969fbb7b 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\41686168940558 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files (x86)\Common Files\Adobe\42af1c969fbb7b 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files (x86)\Windows Defender\it-IT\5940a34987c991 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\69ddcba757bf72 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files (x86)\Common Files\Adobe\audiodg.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files (x86)\Windows Defender\it-IT\dllhost.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\lsm.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\101b941d020240 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe -
Drops file in Windows directory 5 IoCs
Processes:
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exedescription ioc process File created C:\Windows\Branding\5940a34987c991 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Windows\LiveKernelReports\spoolsv.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Windows\LiveKernelReports\f3b6ecef712a24 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Windows\winsxs\Idle.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe File created C:\Windows\Branding\dllhost.exe 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 57 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 864 schtasks.exe 1244 schtasks.exe 488 schtasks.exe 820 schtasks.exe 1712 schtasks.exe 2412 schtasks.exe 1252 schtasks.exe 1880 schtasks.exe 2104 schtasks.exe 1652 schtasks.exe 2016 schtasks.exe 1872 schtasks.exe 2696 schtasks.exe 2156 schtasks.exe 2608 schtasks.exe 2428 schtasks.exe 1784 schtasks.exe 2132 schtasks.exe 1448 schtasks.exe 1644 schtasks.exe 1280 schtasks.exe 2780 schtasks.exe 924 schtasks.exe 2560 schtasks.exe 2532 schtasks.exe 1684 schtasks.exe 2320 schtasks.exe 2328 schtasks.exe 1572 schtasks.exe 312 schtasks.exe 1316 schtasks.exe 2292 schtasks.exe 2308 schtasks.exe 1964 schtasks.exe 1576 schtasks.exe 2956 schtasks.exe 2240 schtasks.exe 2252 schtasks.exe 2832 schtasks.exe 2008 schtasks.exe 584 schtasks.exe 1820 schtasks.exe 1044 schtasks.exe 1604 schtasks.exe 580 schtasks.exe 1008 schtasks.exe 768 schtasks.exe 1464 schtasks.exe 1312 schtasks.exe 804 schtasks.exe 2140 schtasks.exe 560 schtasks.exe 2116 schtasks.exe 2820 schtasks.exe 2680 schtasks.exe 2552 schtasks.exe 2720 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exesmss.exepid process 1680 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe 1680 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe 1680 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe 2568 smss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exesmss.exedescription pid process Token: SeDebugPrivilege 1680 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe Token: SeDebugPrivilege 2568 smss.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.execmd.exedescription pid process target process PID 1680 wrote to memory of 2260 1680 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe cmd.exe PID 1680 wrote to memory of 2260 1680 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe cmd.exe PID 1680 wrote to memory of 2260 1680 00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe cmd.exe PID 2260 wrote to memory of 1536 2260 cmd.exe w32tm.exe PID 2260 wrote to memory of 1536 2260 cmd.exe w32tm.exe PID 2260 wrote to memory of 1536 2260 cmd.exe w32tm.exe PID 2260 wrote to memory of 2568 2260 cmd.exe smss.exe PID 2260 wrote to memory of 2568 2260 cmd.exe smss.exe PID 2260 wrote to memory of 2568 2260 cmd.exe smss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe"C:\Users\Admin\AppData\Local\Temp\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0br16aFg95.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵PID:1536
-
C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe"C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Branding\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Branding\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Branding\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e0" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e0" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e0" /sc MINUTE /mo 13 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e0" /sc MINUTE /mo 11 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e0" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e" /sc ONLOGON /tr "'C:\Users\Default\Recent\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e0" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Recent\00c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2016
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Favorites\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Adobe\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Templates\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Templates\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\SysWOW64\com\it-IT\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SysWOW64\com\it-IT\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\com\it-IT\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\MSOCache\All Users\wininit.exeFilesize
829KB
MD528b77e68b269756ba427c8d30deef9de
SHA1815371ee33e46a6b1a1257b6e01bbaf46ce8d0f5
SHA25600c11ab6fa421c4e69915b1d5db441df33cfcc7c61128bb81029816fd0aa222e
SHA51223488adba74b5c22bca70c2b307020b00696eafc37041bd4a578227d2d4ac6c5ac5f1b107159ea9a15ff08fb865409e06164649a1a2b584fb5bc0b8186b73554
-
C:\Users\Admin\AppData\Local\Temp\0br16aFg95.batFilesize
226B
MD55128fc500ec4b46bb796478328a953fb
SHA11c6bb367057b845ef00fba150192206ed1b5220f
SHA2567a35402d2644feaf0efe8267e0a046a0e8462a2084c3fc5653c140d97c8486b8
SHA5129b7bb14119c3cf153fc059e23494c6f8a969d574df3947dbd036f644973be3032023974db8749731274f428a01381f79a6c39a6c6041c70cb669fefb402b2be9
-
memory/1680-0-0x000007FEF5A43000-0x000007FEF5A44000-memory.dmpFilesize
4KB
-
memory/1680-1-0x0000000000F50000-0x0000000001026000-memory.dmpFilesize
856KB
-
memory/1680-2-0x000007FEF5A40000-0x000007FEF642C000-memory.dmpFilesize
9.9MB
-
memory/1680-46-0x000007FEF5A40000-0x000007FEF642C000-memory.dmpFilesize
9.9MB
-
memory/2568-49-0x00000000001A0000-0x0000000000276000-memory.dmpFilesize
856KB