Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
21-03-2023 20:46
General
-
Target
09cacacf6eef86e62b26d5d1ca217c8e.exe
-
Size
2.6MB
-
MD5
09cacacf6eef86e62b26d5d1ca217c8e
-
SHA1
21520171163005980651861cea13fc6edc82d2da
-
SHA256
abee8542dc156b695a019d34a7bf3734d2e63b648e4affb3209b151ab0f8e6ac
-
SHA512
fc90917fa408769cef02c977ff4a0f30a6b14e0fe0731a7ccd573c63da9523e48d58914c5a26b4f5d3d8faee47ea3d32ccbf5e462e802dd7b3cc23e6ad6fd4c6
-
SSDEEP
49152:ubA3jlSSI+tkWr2mvKSq32s+FBf4HrypMFQtwfRKSSutCn0:ubcSbWr2mLHyC8LSut1
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 13 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 2 IoCs
-
Drops file in Program Files directory 20 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 30 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\09cacacf6eef86e62b26d5d1ca217c8e.exe"C:\Users\Admin\AppData\Local\Temp\09cacacf6eef86e62b26d5d1ca217c8e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\hyperchainagent\hVasfh5Xz1.vbe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\hyperchainagent\DMBt2834kk6smlkgJa5RvPFxYK.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\hyperchainagent\Surrogaterefnet.exe"C:\hyperchainagent\Surrogaterefnet.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dmgGBD5MVd.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\hyperchainagent\Surrogaterefnet.exe"C:\hyperchainagent\Surrogaterefnet.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cT8QmSmRPm.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Users\Default User\System.exe"C:\Users\Default User\System.exe"8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\GAC_64\napcrypt\6.1.0.0__31bf3856ad364e35\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\lsass.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Libraries\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\cmd.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\hyperchainagent\taskhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\hyperchainagent\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\hyperchainagent\taskhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\hyperchainagent\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\hyperchainagent\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\hyperchainagent\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\hyperchainagent\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\hyperchainagent\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\hyperchainagent\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\plugins\explorer.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\plugins\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\debug\WIA\System.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\debug\WIA\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\WIA\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Services\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\conhost.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\WMIADAP.exe'" /f1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\WMIADAP.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\WMIADAP.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\hyperchainagent\services.exe'" /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\hyperchainagent\services.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\hyperchainagent\services.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\hyperchainagent\dwm.exe'" /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\hyperchainagent\dwm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\hyperchainagent\dwm.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\services.exe'" /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Pictures\services.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\services.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\csrss.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\csrss.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\lsm.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\lsm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\lsm.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\System.exe'" /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\csrss.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\hyperchainagent\lsass.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\hyperchainagent\lsass.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\hyperchainagent\lsass.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\WmiPrvSE.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\csrss.exe'" /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\csrss.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\csrss.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Music\Sample Music\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\lsm.exe'" /f1⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\lsm.exe'" /rl HIGHEST /f1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\cfd8e0a2-b1a3-11ed-adb5-cee1c2fbb193\lsm.exe'" /rl HIGHEST /f1⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
197B
MD5593eec2b2fd75ca03ba1f3baafbe1542
SHA1dabfa9171189a3b363087a2c4d47fc6a08ed5511
SHA256457350f00be24daae144b8e904b9922f86fab40ee141eb5b949841b6fcdfa97d
SHA51254c7cefee0cc642193a2d85124a51a913979c210988223860545b6b13c1f6d007c3ca9ac1eb91327e385f1575b19af7ecb0953dac0aeace54c318255c904c1a4
-
Filesize
203B
MD5510d74172da1be1165dc29d8aec119b4
SHA10b130ccee6fd842cca895a0c6d6efe00084166c2
SHA2567e926da8ea04f6c88b65abeac9c7257113541723f591dec883b3a1f2063d86a3
SHA512b55edf2ee0ab3de93dc66768cbf19345474bd981b90aebaca08e3bb3f9cc6c4663c33f7368f649f2752c976afef2b014fc840188c8f7204e491fbaf4fa0ed100
-
Filesize
2.3MB
MD5dbf705ce9641d7783c9e867a15d463dc
SHA1e14b23c79cdc102ef10cb35ce78e84a50e725549
SHA256ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3
SHA5124ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81
-
Filesize
2.3MB
MD5dbf705ce9641d7783c9e867a15d463dc
SHA1e14b23c79cdc102ef10cb35ce78e84a50e725549
SHA256ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3
SHA5124ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81
-
Filesize
2.3MB
MD5dbf705ce9641d7783c9e867a15d463dc
SHA1e14b23c79cdc102ef10cb35ce78e84a50e725549
SHA256ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3
SHA5124ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81
-
Filesize
40B
MD59cbc6ed294d7df3d71188be1778d1e84
SHA149ea3428916b3fbbb817df9f40bd7fd3385dfb1e
SHA25691bb54ba35c1ac167d6eedccd1b18f9178426f21aefcf14ac488e09dbb798af8
SHA5127303ae61150beb18504db411371d2d6e0383f2f3e7a7e3f5f7e7feffa5cbce4fc9b1225474f57050c99f32d3adcbff7f8cab41e4f9edd78a5c26c15e95dea06a
-
Filesize
2.3MB
MD5dbf705ce9641d7783c9e867a15d463dc
SHA1e14b23c79cdc102ef10cb35ce78e84a50e725549
SHA256ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3
SHA5124ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81
-
Filesize
2.3MB
MD5dbf705ce9641d7783c9e867a15d463dc
SHA1e14b23c79cdc102ef10cb35ce78e84a50e725549
SHA256ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3
SHA5124ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81
-
Filesize
2.3MB
MD5dbf705ce9641d7783c9e867a15d463dc
SHA1e14b23c79cdc102ef10cb35ce78e84a50e725549
SHA256ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3
SHA5124ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81
-
Filesize
218B
MD516389aa806a3fd9a2322e3fbcddacede
SHA103c06c620f9717650013b8d2c30ca4a67d4e1939
SHA256f2e9cef08cce338bbc9d5eea18059a3df236f4ca5a050bce564a94347dbc1742
SHA5129d04db24f78c9a947510e32196d31380db479425cf52752231e1b0df44da43356c7e010f3dd9c79a446b05ca61ec35fbb2de5762f221b7aa1d9555d71555ea91
-
Filesize
2.3MB
MD5dbf705ce9641d7783c9e867a15d463dc
SHA1e14b23c79cdc102ef10cb35ce78e84a50e725549
SHA256ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3
SHA5124ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81
-
Filesize
2.3MB
MD5dbf705ce9641d7783c9e867a15d463dc
SHA1e14b23c79cdc102ef10cb35ce78e84a50e725549
SHA256ca84510c38b5daf4723dd0f87379b68eb26a7192ed5f86f1ad21fead4c56c8b3
SHA5124ad6c5f92a2e9630bd95c3a08d259ba1f3605067ed5c60b3ccc3568b4d4ff5a0a25856000bf73cdad6e1ff3afcea6bf6e468cf9948755c4427f6feef7b2e8c81
-
Filesize
2.3MB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
344KB
-
Filesize
88KB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
112KB
-
Filesize
2.3MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
2.3MB