Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 02:36
Behavioral task
behavioral1
Sample
4b501fa87e3f05f21f0e85ed63f0deb4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4b501fa87e3f05f21f0e85ed63f0deb4.exe
Resource
win10v2004-20240508-en
General
-
Target
4b501fa87e3f05f21f0e85ed63f0deb4.exe
-
Size
1.2MB
-
MD5
4b501fa87e3f05f21f0e85ed63f0deb4
-
SHA1
ab1f15913d82d926441805a9cd847353836a7816
-
SHA256
a083297276d53c1ea773b6a44715daa36259a8a9efcbc9c18818903c25663847
-
SHA512
3e364b17ed3bc9c4b9a696ae30ef2ee001a1012c8e51c35da41234c1127b6998e81b668078aaf99ea12cbdd4ab5e29ec2ea63f1efec4b4c41c19cdd46c515de8
-
SSDEEP
24576:U2G/nvxW3Ww0t7lDVLfVQ8KMYD/KXZfjaV8bGjqHGrFo:UbA307HV7CEZ7HW7K
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 24 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2376 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1168 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2336 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2456 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2640 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 808 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1076 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1040 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1984 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 312 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2216 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 936 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 816 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1724 2412 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1588 2412 schtasks.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\blockBroker\refCrt.exe dcrat behavioral1/memory/2508-13-0x0000000000DC0000-0x0000000000EA8000-memory.dmp dcrat behavioral1/memory/1288-38-0x0000000001320000-0x0000000001408000-memory.dmp dcrat -
Executes dropped EXE 2 IoCs
Processes:
refCrt.exeservices.exepid process 2508 refCrt.exe 1288 services.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2608 cmd.exe 2608 cmd.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com 10 ipinfo.io 11 ipinfo.io -
Drops file in Program Files directory 6 IoCs
Processes:
refCrt.exedescription ioc process File created C:\Program Files (x86)\Uninstall Information\sppsvc.exe refCrt.exe File created C:\Program Files (x86)\Uninstall Information\0a1fd5f707cd16 refCrt.exe File created C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\spoolsv.exe refCrt.exe File created C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\f3b6ecef712a24 refCrt.exe File created C:\Program Files (x86)\Windows Portable Devices\dwm.exe refCrt.exe File created C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3 refCrt.exe -
Drops file in Windows directory 2 IoCs
Processes:
refCrt.exedescription ioc process File created C:\Windows\PCHEALTH\ERRORREP\Idle.exe refCrt.exe File created C:\Windows\PCHEALTH\ERRORREP\6ccacd8608530f refCrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 24 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1972 schtasks.exe 1784 schtasks.exe 1168 schtasks.exe 2336 schtasks.exe 2640 schtasks.exe 1076 schtasks.exe 2420 schtasks.exe 2688 schtasks.exe 808 schtasks.exe 1984 schtasks.exe 816 schtasks.exe 936 schtasks.exe 1652 schtasks.exe 1588 schtasks.exe 2816 schtasks.exe 2456 schtasks.exe 1040 schtasks.exe 312 schtasks.exe 2216 schtasks.exe 2376 schtasks.exe 556 schtasks.exe 572 schtasks.exe 1820 schtasks.exe 1724 schtasks.exe -
Processes:
services.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 services.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 services.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
refCrt.exeservices.exepid process 2508 refCrt.exe 2508 refCrt.exe 2508 refCrt.exe 2508 refCrt.exe 2508 refCrt.exe 2508 refCrt.exe 1288 services.exe 1288 services.exe 1288 services.exe 1288 services.exe 1288 services.exe 1288 services.exe 1288 services.exe 1288 services.exe 1288 services.exe 1288 services.exe 1288 services.exe 1288 services.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
services.exepid process 1288 services.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
refCrt.exeservices.exedescription pid process Token: SeDebugPrivilege 2508 refCrt.exe Token: SeDebugPrivilege 1288 services.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
4b501fa87e3f05f21f0e85ed63f0deb4.exeWScript.execmd.exerefCrt.exedescription pid process target process PID 1336 wrote to memory of 2860 1336 4b501fa87e3f05f21f0e85ed63f0deb4.exe WScript.exe PID 1336 wrote to memory of 2860 1336 4b501fa87e3f05f21f0e85ed63f0deb4.exe WScript.exe PID 1336 wrote to memory of 2860 1336 4b501fa87e3f05f21f0e85ed63f0deb4.exe WScript.exe PID 1336 wrote to memory of 2860 1336 4b501fa87e3f05f21f0e85ed63f0deb4.exe WScript.exe PID 2860 wrote to memory of 2608 2860 WScript.exe cmd.exe PID 2860 wrote to memory of 2608 2860 WScript.exe cmd.exe PID 2860 wrote to memory of 2608 2860 WScript.exe cmd.exe PID 2860 wrote to memory of 2608 2860 WScript.exe cmd.exe PID 2608 wrote to memory of 2508 2608 cmd.exe refCrt.exe PID 2608 wrote to memory of 2508 2608 cmd.exe refCrt.exe PID 2608 wrote to memory of 2508 2608 cmd.exe refCrt.exe PID 2608 wrote to memory of 2508 2608 cmd.exe refCrt.exe PID 2508 wrote to memory of 1288 2508 refCrt.exe services.exe PID 2508 wrote to memory of 1288 2508 refCrt.exe services.exe PID 2508 wrote to memory of 1288 2508 refCrt.exe services.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b501fa87e3f05f21f0e85ed63f0deb4.exe"C:\Users\Admin\AppData\Local\Temp\4b501fa87e3f05f21f0e85ed63f0deb4.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\blockBroker\dCDa6ALGfvXR9eU7o.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\blockBroker\oXLzHTz.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\blockBroker\refCrt.exe"C:\Users\Admin\AppData\Local\Temp\blockBroker\refCrt.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Users\Default\Local Settings\services.exe"C:\Users\Default\Local Settings\services.exe"5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\PCHEALTH\ERRORREP\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199B
MD5d82ab8a29099adb65e97dd5eb7bb9acc
SHA1bff5f9f5d5793ca27e0f2f26fa437317209da5c9
SHA2567df61b5dc400e66c13e84a0fe0d0af679ed73cacc1e80877224f5dbf52594cc0
SHA512d953272aab88a6ef226b3316a8da7e145cc7bea23ca0f16e0f44dc41e6b5875ba19275234690c079572da89eb2524dbae0a87330ce33c1bd6966161e5ec5e7d1
-
Filesize
31B
MD5f2a70d75ba065b27796739df5ed59503
SHA16761a00a1b4dfc1bdc8b38ebdc1031d4878d0863
SHA2565d8b9079a09b672d42794c2948e409ee1a8a182e7cd591b3697af4ca51c73f16
SHA512931994e6ecbd19d2e804d8b9bc6015ef7d031e99497b6a585c5aed967a07894fc615981bb504dd270711e71eae9a61eb6aed0faf914c18e569adc48e847f6d84
-
Filesize
901KB
MD54a8fd7bb970c86e0650a3e110fb5e6d0
SHA1514e8249d87435de3b34bfd06e3dea9a6fb0fc96
SHA25686e9ac84264ae29059d78e2a3ebedea8d3b6c1083d03b82bdab8e32d306fd8a9
SHA512390a7e834dec74cbcc49efeee1adddb05bbe2e972e08a0ec5e6cfbecc92e4a864f6c33ce1a1d293acd42cc4f8f6ca89a8226820819170f8d86ff5e5d301e5910