Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-06-2024 08:31
Behavioral task
behavioral1
Sample
33ab5cbb351fa75f5d4f3e3b5aa064a9.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
33ab5cbb351fa75f5d4f3e3b5aa064a9.exe
Resource
win10v2004-20240508-en
General
-
Target
33ab5cbb351fa75f5d4f3e3b5aa064a9.exe
-
Size
827KB
-
MD5
33ab5cbb351fa75f5d4f3e3b5aa064a9
-
SHA1
ac9bcf69aecff1ff5d4108df204a4a2b572e1eef
-
SHA256
2e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17
-
SHA512
4e62650b49ae86c152463742a04980627d54dc8efc7dd3443625210d13db815f279989d846bbca4376cd127595403cfd53160c0fa78f3d198bf400da5655a98e
-
SSDEEP
12288:6HggW+CSPHjaphInx+6XlRitt/tNRWCkQu:6AgW+C4jaqZlR4/jRWCkT
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 39 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2704 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2744 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2664 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2800 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2512 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2544 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3056 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2564 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 816 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2824 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2808 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 328 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1052 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2020 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 492 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2180 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2600 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1560 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1596 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1252 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1512 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1200 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2896 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 588 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 852 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1268 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 480 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1160 1676 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 1676 schtasks.exe -
Processes:
resource yara_rule behavioral1/memory/1728-1-0x0000000001030000-0x0000000001106000-memory.dmp dcrat C:\Program Files\Microsoft Games\Chess\fr-FR\dllhost.exe dcrat behavioral1/memory/1716-35-0x0000000000EB0000-0x0000000000F86000-memory.dmp dcrat -
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 1716 csrss.exe -
Drops file in Program Files directory 14 IoCs
Processes:
33ab5cbb351fa75f5d4f3e3b5aa064a9.exedescription ioc process File created C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files\Microsoft Games\Chess\fr-FR\5940a34987c991 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\7a0fd90576e088 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files\Uninstall Information\6203df4a6bafc7 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files (x86)\Windows Mail\it-IT\lsm.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files\Windows Media Player\56085415360792 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\0a1fd5f707cd16 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\explorer.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files (x86)\Windows Mail\it-IT\101b941d020240 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\886983d96e3d3e 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files\Uninstall Information\lsass.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files\Windows Media Player\wininit.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Program Files\Microsoft Games\Chess\fr-FR\dllhost.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe -
Drops file in Windows directory 2 IoCs
Processes:
33ab5cbb351fa75f5d4f3e3b5aa064a9.exedescription ioc process File created C:\Windows\addins\lsm.exe 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe File created C:\Windows\addins\101b941d020240 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2180 schtasks.exe 588 schtasks.exe 1268 schtasks.exe 2840 schtasks.exe 2624 schtasks.exe 2824 schtasks.exe 1052 schtasks.exe 2664 schtasks.exe 2768 schtasks.exe 2948 schtasks.exe 1512 schtasks.exe 2348 schtasks.exe 2704 schtasks.exe 2512 schtasks.exe 2808 schtasks.exe 492 schtasks.exe 2772 schtasks.exe 2932 schtasks.exe 1796 schtasks.exe 1596 schtasks.exe 1252 schtasks.exe 816 schtasks.exe 328 schtasks.exe 2744 schtasks.exe 2800 schtasks.exe 2544 schtasks.exe 3056 schtasks.exe 852 schtasks.exe 1984 schtasks.exe 2020 schtasks.exe 2600 schtasks.exe 1200 schtasks.exe 2564 schtasks.exe 1560 schtasks.exe 2896 schtasks.exe 480 schtasks.exe 2112 schtasks.exe 1160 schtasks.exe 2028 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
33ab5cbb351fa75f5d4f3e3b5aa064a9.execsrss.exepid process 1728 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 1728 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 1728 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 1728 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 1728 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 1728 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 1728 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe 1716 csrss.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
33ab5cbb351fa75f5d4f3e3b5aa064a9.execsrss.exedescription pid process Token: SeDebugPrivilege 1728 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe Token: SeDebugPrivilege 1716 csrss.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
33ab5cbb351fa75f5d4f3e3b5aa064a9.exedescription pid process target process PID 1728 wrote to memory of 1716 1728 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe csrss.exe PID 1728 wrote to memory of 1716 1728 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe csrss.exe PID 1728 wrote to memory of 1716 1728 33ab5cbb351fa75f5d4f3e3b5aa064a9.exe csrss.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\33ab5cbb351fa75f5d4f3e3b5aa064a9.exe"C:\Users\Admin\AppData\Local\Temp\33ab5cbb351fa75f5d4f3e3b5aa064a9.exe"1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe"C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Chess\fr-FR\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\fr-FR\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Chess\fr-FR\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\addins\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default\NetHood\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\NetHood\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\services.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\50341a82-0d88-11ef-8a7e-5aba25856535\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Games\Chess\fr-FR\dllhost.exeFilesize
827KB
MD533ab5cbb351fa75f5d4f3e3b5aa064a9
SHA1ac9bcf69aecff1ff5d4108df204a4a2b572e1eef
SHA2562e2163fd9a3cf6e23a7b9509e64a877e5b6c5abf8537fe738466f83112539d17
SHA5124e62650b49ae86c152463742a04980627d54dc8efc7dd3443625210d13db815f279989d846bbca4376cd127595403cfd53160c0fa78f3d198bf400da5655a98e
-
memory/1716-35-0x0000000000EB0000-0x0000000000F86000-memory.dmpFilesize
856KB
-
memory/1728-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmpFilesize
4KB
-
memory/1728-1-0x0000000001030000-0x0000000001106000-memory.dmpFilesize
856KB
-
memory/1728-2-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmpFilesize
9.9MB
-
memory/1728-36-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmpFilesize
9.9MB