Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 09:46
Static task
static1
Behavioral task
behavioral1
Sample
9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe
Resource
win10v2004-20240508-en
General
-
Target
9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe
-
Size
11.0MB
-
MD5
0e38f27d79158a60eb55b2cc9a53d711
-
SHA1
088e81dd3cafb143133da25124a0880a29c448f0
-
SHA256
9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471
-
SHA512
ad052b98001936e0e71f89c8c7c117feda317c4a4ff5b0fd3403db2d90cb38d0bd2a7f7396ddf777ddf4d04e992edd2c1e1f288761060c436183d23490363c78
-
SSDEEP
196608:XDjdqua/WBpKJiziKUKRzBVCzTsx7nJJHywSBJa53pyRQ1I34jMGM:XNm+BpYiuK9RzBIzTsBSBJaBpyRQyoQj
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 6 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 900 1624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 1624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2388 1624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 880 1624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1452 1624 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1164 1624 schtasks.exe -
Processes:
HyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeAgentsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Agentsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Agentsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Agentsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe dcrat \blockbrowserfontref\Agentsvc.exe dcrat behavioral1/memory/1476-1019-0x0000000000820000-0x0000000000996000-memory.dmp dcrat behavioral1/memory/2912-1039-0x0000000000CE0000-0x0000000000E56000-memory.dmp dcrat behavioral1/memory/1272-2020-0x0000000000E30000-0x0000000000FA6000-memory.dmp dcrat behavioral1/memory/2704-2032-0x0000000000F30000-0x00000000010A6000-memory.dmp dcrat behavioral1/memory/2320-2056-0x0000000001350000-0x00000000014C6000-memory.dmp dcrat behavioral1/memory/2468-2079-0x00000000001F0000-0x0000000000366000-memory.dmp dcrat behavioral1/memory/2584-2091-0x0000000000DE0000-0x0000000000F56000-memory.dmp dcrat behavioral1/memory/2700-2103-0x00000000010C0000-0x0000000001236000-memory.dmp dcrat behavioral1/memory/1820-2113-0x0000000000360000-0x00000000004D6000-memory.dmp dcrat behavioral1/memory/1100-2121-0x0000000000340000-0x00000000004B6000-memory.dmp dcrat behavioral1/memory/836-2129-0x0000000000020000-0x0000000000196000-memory.dmp dcrat behavioral1/memory/1012-2144-0x00000000001A0000-0x0000000000316000-memory.dmp dcrat -
Executes dropped EXE 19 IoCs
Processes:
HyperLix.exeDCRatBuild.exeHyperLix.exeAgentsvc.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exepid process 2992 HyperLix.exe 2276 DCRatBuild.exe 272 HyperLix.exe 1476 Agentsvc.exe 2912 HyperLix.exe 1368 1272 HyperLix.exe 2704 HyperLix.exe 928 HyperLix.exe 2320 HyperLix.exe 972 HyperLix.exe 2468 HyperLix.exe 2584 HyperLix.exe 2700 HyperLix.exe 1820 HyperLix.exe 1100 HyperLix.exe 836 HyperLix.exe 2772 HyperLix.exe 1012 HyperLix.exe -
Loads dropped DLL 13 IoCs
Processes:
9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exeHyperLix.exeHyperLix.execmd.exepid process 2784 9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe 2784 9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe 2992 HyperLix.exe 272 HyperLix.exe 272 HyperLix.exe 272 HyperLix.exe 272 HyperLix.exe 272 HyperLix.exe 272 HyperLix.exe 272 HyperLix.exe 2340 cmd.exe 2340 cmd.exe 1368 -
Processes:
HyperLix.exeHyperLix.exeHyperLix.exeAgentsvc.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HyperLix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HyperLix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Agentsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HyperLix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HyperLix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HyperLix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HyperLix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HyperLix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Agentsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\HyperLix.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1164 schtasks.exe 900 schtasks.exe 3040 schtasks.exe 2388 schtasks.exe 880 schtasks.exe 1452 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Agentsvc.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exepid process 1476 Agentsvc.exe 2912 HyperLix.exe 1272 HyperLix.exe 2704 HyperLix.exe 928 HyperLix.exe 2320 HyperLix.exe 972 HyperLix.exe 2468 HyperLix.exe 2584 HyperLix.exe 2700 HyperLix.exe 1820 HyperLix.exe 1100 HyperLix.exe 836 HyperLix.exe 2772 HyperLix.exe 1012 HyperLix.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
Agentsvc.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exedescription pid process Token: SeDebugPrivilege 1476 Agentsvc.exe Token: SeDebugPrivilege 2912 HyperLix.exe Token: SeDebugPrivilege 1272 HyperLix.exe Token: SeDebugPrivilege 2704 HyperLix.exe Token: SeDebugPrivilege 928 HyperLix.exe Token: SeDebugPrivilege 2320 HyperLix.exe Token: SeDebugPrivilege 972 HyperLix.exe Token: SeDebugPrivilege 2468 HyperLix.exe Token: SeDebugPrivilege 2584 HyperLix.exe Token: SeDebugPrivilege 2700 HyperLix.exe Token: SeDebugPrivilege 1820 HyperLix.exe Token: SeDebugPrivilege 1100 HyperLix.exe Token: SeDebugPrivilege 836 HyperLix.exe Token: SeDebugPrivilege 2772 HyperLix.exe Token: SeDebugPrivilege 1012 HyperLix.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exeDCRatBuild.exeHyperLix.exeWScript.execmd.exeAgentsvc.exeHyperLix.exeWScript.exeHyperLix.exeWScript.exeHyperLix.exeWScript.exeHyperLix.exeWScript.exeHyperLix.exedescription pid process target process PID 2784 wrote to memory of 2992 2784 9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe HyperLix.exe PID 2784 wrote to memory of 2992 2784 9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe HyperLix.exe PID 2784 wrote to memory of 2992 2784 9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe HyperLix.exe PID 2784 wrote to memory of 2992 2784 9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe HyperLix.exe PID 2784 wrote to memory of 2276 2784 9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe DCRatBuild.exe PID 2784 wrote to memory of 2276 2784 9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe DCRatBuild.exe PID 2784 wrote to memory of 2276 2784 9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe DCRatBuild.exe PID 2784 wrote to memory of 2276 2784 9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe DCRatBuild.exe PID 2276 wrote to memory of 2720 2276 DCRatBuild.exe WScript.exe PID 2276 wrote to memory of 2720 2276 DCRatBuild.exe WScript.exe PID 2276 wrote to memory of 2720 2276 DCRatBuild.exe WScript.exe PID 2276 wrote to memory of 2720 2276 DCRatBuild.exe WScript.exe PID 2992 wrote to memory of 272 2992 HyperLix.exe HyperLix.exe PID 2992 wrote to memory of 272 2992 HyperLix.exe HyperLix.exe PID 2992 wrote to memory of 272 2992 HyperLix.exe HyperLix.exe PID 2720 wrote to memory of 2340 2720 WScript.exe cmd.exe PID 2720 wrote to memory of 2340 2720 WScript.exe cmd.exe PID 2720 wrote to memory of 2340 2720 WScript.exe cmd.exe PID 2720 wrote to memory of 2340 2720 WScript.exe cmd.exe PID 2340 wrote to memory of 1476 2340 cmd.exe Agentsvc.exe PID 2340 wrote to memory of 1476 2340 cmd.exe Agentsvc.exe PID 2340 wrote to memory of 1476 2340 cmd.exe Agentsvc.exe PID 2340 wrote to memory of 1476 2340 cmd.exe Agentsvc.exe PID 1476 wrote to memory of 2912 1476 Agentsvc.exe HyperLix.exe PID 1476 wrote to memory of 2912 1476 Agentsvc.exe HyperLix.exe PID 1476 wrote to memory of 2912 1476 Agentsvc.exe HyperLix.exe PID 2912 wrote to memory of 2152 2912 HyperLix.exe WScript.exe PID 2912 wrote to memory of 2152 2912 HyperLix.exe WScript.exe PID 2912 wrote to memory of 2152 2912 HyperLix.exe WScript.exe PID 2912 wrote to memory of 2552 2912 HyperLix.exe WScript.exe PID 2912 wrote to memory of 2552 2912 HyperLix.exe WScript.exe PID 2912 wrote to memory of 2552 2912 HyperLix.exe WScript.exe PID 2152 wrote to memory of 1272 2152 WScript.exe HyperLix.exe PID 2152 wrote to memory of 1272 2152 WScript.exe HyperLix.exe PID 2152 wrote to memory of 1272 2152 WScript.exe HyperLix.exe PID 1272 wrote to memory of 2984 1272 HyperLix.exe WScript.exe PID 1272 wrote to memory of 2984 1272 HyperLix.exe WScript.exe PID 1272 wrote to memory of 2984 1272 HyperLix.exe WScript.exe PID 1272 wrote to memory of 2652 1272 HyperLix.exe WScript.exe PID 1272 wrote to memory of 2652 1272 HyperLix.exe WScript.exe PID 1272 wrote to memory of 2652 1272 HyperLix.exe WScript.exe PID 2984 wrote to memory of 2704 2984 WScript.exe HyperLix.exe PID 2984 wrote to memory of 2704 2984 WScript.exe HyperLix.exe PID 2984 wrote to memory of 2704 2984 WScript.exe HyperLix.exe PID 2704 wrote to memory of 2836 2704 HyperLix.exe WScript.exe PID 2704 wrote to memory of 2836 2704 HyperLix.exe WScript.exe PID 2704 wrote to memory of 2836 2704 HyperLix.exe WScript.exe PID 2704 wrote to memory of 2952 2704 HyperLix.exe WScript.exe PID 2704 wrote to memory of 2952 2704 HyperLix.exe WScript.exe PID 2704 wrote to memory of 2952 2704 HyperLix.exe WScript.exe PID 2836 wrote to memory of 928 2836 WScript.exe HyperLix.exe PID 2836 wrote to memory of 928 2836 WScript.exe HyperLix.exe PID 2836 wrote to memory of 928 2836 WScript.exe HyperLix.exe PID 928 wrote to memory of 2800 928 HyperLix.exe WScript.exe PID 928 wrote to memory of 2800 928 HyperLix.exe WScript.exe PID 928 wrote to memory of 2800 928 HyperLix.exe WScript.exe PID 928 wrote to memory of 1972 928 HyperLix.exe WScript.exe PID 928 wrote to memory of 1972 928 HyperLix.exe WScript.exe PID 928 wrote to memory of 1972 928 HyperLix.exe WScript.exe PID 2800 wrote to memory of 2320 2800 WScript.exe HyperLix.exe PID 2800 wrote to memory of 2320 2800 WScript.exe HyperLix.exe PID 2800 wrote to memory of 2320 2800 WScript.exe HyperLix.exe PID 2320 wrote to memory of 536 2320 HyperLix.exe WScript.exe PID 2320 wrote to memory of 536 2320 HyperLix.exe WScript.exe -
System policy modification 1 TTPs 45 IoCs
Processes:
HyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeHyperLix.exeAgentsvc.exeHyperLix.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Agentsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Agentsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Agentsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" HyperLix.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" HyperLix.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe"C:\Users\Admin\AppData\Local\Temp\9dfff6301fe6d08ea16c8e4b67c8f073b2de0fc3657539ba93fc68e66e5da471.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\HyperLix.exe"C:\Users\Admin\AppData\Local\Temp\HyperLix.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\HyperLix.exe"C:\Users\Admin\AppData\Local\Temp\HyperLix.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:272 -
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\blockbrowserfontref\itVJoLv8U.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\blockbrowserfontref\NJkyNjia8UfT.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\blockbrowserfontref\Agentsvc.exe"C:\blockbrowserfontref\Agentsvc.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1476 -
C:\blockbrowserfontref\HyperLix.exe"C:\blockbrowserfontref\HyperLix.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2912 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c90fc8cd-fe8d-49f5-9cb5-178dae200074.vbs"7⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\blockbrowserfontref\HyperLix.exeC:\blockbrowserfontref\HyperLix.exe8⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1272 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2228fd2d-0517-4c03-9082-509719887bc6.vbs"9⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\blockbrowserfontref\HyperLix.exeC:\blockbrowserfontref\HyperLix.exe10⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2704 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc29f2fa-d7f8-48b1-a683-5b4a4216fe66.vbs"11⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\blockbrowserfontref\HyperLix.exeC:\blockbrowserfontref\HyperLix.exe12⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:928 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26fa6df4-50b3-48c4-b456-349fbca40f47.vbs"13⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\blockbrowserfontref\HyperLix.exeC:\blockbrowserfontref\HyperLix.exe14⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2320 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15b280e0-e67f-4d63-a4b4-301e5c8ef428.vbs"15⤵PID:536
-
C:\blockbrowserfontref\HyperLix.exeC:\blockbrowserfontref\HyperLix.exe16⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:972 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\920c4aed-5f1a-4400-b47d-ce50048f82e2.vbs"17⤵PID:2748
-
C:\blockbrowserfontref\HyperLix.exeC:\blockbrowserfontref\HyperLix.exe18⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2468 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\69ae968f-6af4-45ed-87b9-0be3f06fbe5d.vbs"19⤵PID:1452
-
C:\blockbrowserfontref\HyperLix.exeC:\blockbrowserfontref\HyperLix.exe20⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2584 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7801cfda-ec9f-4eb2-9b53-8a4593dd089b.vbs"21⤵PID:2752
-
C:\blockbrowserfontref\HyperLix.exeC:\blockbrowserfontref\HyperLix.exe22⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2700 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\576b7a88-5d37-416d-8139-3ab743e56ccb.vbs"23⤵PID:2836
-
C:\blockbrowserfontref\HyperLix.exeC:\blockbrowserfontref\HyperLix.exe24⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1820 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec2592db-186b-4a40-b566-22aec2a2b928.vbs"25⤵PID:1364
-
C:\blockbrowserfontref\HyperLix.exeC:\blockbrowserfontref\HyperLix.exe26⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1100 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d847ac89-60ba-4a87-a530-ed67bc2f009e.vbs"27⤵PID:900
-
C:\blockbrowserfontref\HyperLix.exeC:\blockbrowserfontref\HyperLix.exe28⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:836 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f7c22d1-6b60-48c3-aecd-70c2754de7ec.vbs"29⤵PID:2608
-
C:\blockbrowserfontref\HyperLix.exeC:\blockbrowserfontref\HyperLix.exe30⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2772 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f773951-b7b7-4164-a9fa-688f802f8697.vbs"31⤵PID:1928
-
C:\blockbrowserfontref\HyperLix.exeC:\blockbrowserfontref\HyperLix.exe32⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1012 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16900c54-b223-4292-bcec-c676883f4531.vbs"33⤵PID:1692
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\637b2952-a0c3-4366-a6fe-4029fa32184e.vbs"33⤵PID:2700
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e078198-1771-4a18-85e6-fbb936424b84.vbs"31⤵PID:2828
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b007b3b5-3af5-4bc6-82a2-7f34eafb1891.vbs"29⤵PID:764
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ebd457d-b21b-482e-b0c2-0e1d5887bc25.vbs"27⤵PID:1544
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\88b4465c-23e6-4e1d-bee3-e0f221d92f37.vbs"25⤵PID:1992
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5961411-6b17-40ca-b46b-74f0697c6f02.vbs"23⤵PID:2424
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\434a0a59-e509-4080-bb0f-2593a88d6b09.vbs"21⤵PID:2572
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfdb4e0a-ea4a-4c86-ad98-879c668844f6.vbs"19⤵PID:2204
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99f55305-2312-4ad9-ac36-4b70234a1f16.vbs"17⤵PID:3000
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3da0261c-baa3-4cda-84d7-ba68ea8d89e1.vbs"15⤵PID:596
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f65c6f88-f8aa-488d-8d03-f98d8fe3a779.vbs"13⤵PID:1972
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0fbb3d8a-19ef-4454-8e27-75e9d32254f1.vbs"11⤵PID:2952
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b054d1a7-9e60-4596-92c4-55cfe8a3380a.vbs"9⤵PID:2652
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b925ccb4-57cf-4818-81a4-032fb517422e.vbs"7⤵PID:2552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperLixH" /sc MINUTE /mo 10 /tr "'C:\blockbrowserfontref\HyperLix.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperLix" /sc ONLOGON /tr "'C:\blockbrowserfontref\HyperLix.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperLixH" /sc MINUTE /mo 8 /tr "'C:\blockbrowserfontref\HyperLix.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1164
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\15b280e0-e67f-4d63-a4b4-301e5c8ef428.vbsFilesize
711B
MD558ad6a64b691b4056d85dc9a47c8cc9c
SHA126a1ad65716fb6aa812431208cf71ec5552fc847
SHA25675d7984ef90d494382b66ae5e7d696e2f724080fd7ff855c52374878155cfd71
SHA512349b3d5b377741b113f9e817744ed57e89b9d8c536fa80a2dcb0e234cbdb518915059038b82467156f1b6f1c1a0944ee3b883d5b9898327987208a949ed4c25a
-
C:\Users\Admin\AppData\Local\Temp\2228fd2d-0517-4c03-9082-509719887bc6.vbsFilesize
711B
MD5e188823bc463cc65347fe315157e5bc6
SHA1bbed4ff9d86c230fba5cef688ae4e8603579858c
SHA256766db556babc532f3dd72687922d264c367b5526970c10d97d11523e53304415
SHA512fd57a4791a135aedfbb1a96b71f0563214b7b3012405f0e94b10931ff9afaab46a79f2d84282bbc7c14070977d93cd019e370866fb89e61ddaa7e9785fccfe2f
-
C:\Users\Admin\AppData\Local\Temp\26fa6df4-50b3-48c4-b456-349fbca40f47.vbsFilesize
710B
MD54e982b6a17b2858fdcc78cc9943ce80b
SHA10dfb73071a7773569955fe12bee5ccf0ddb733f3
SHA256da1f5ac086369a6e49d490f4ba491917284cf066f1693e97e0698df0ed171761
SHA512036fcf61848aa86d8711864ce82b4c13acafb9fcddc4c68233dde9b2b4997ce73da23b90e3e66a7b7565e18a6ee08aaedf9de1e22103100c0a8e8e3c8caa7b1d
-
C:\Users\Admin\AppData\Local\Temp\69ae968f-6af4-45ed-87b9-0be3f06fbe5d.vbsFilesize
711B
MD5ced9f3870bffa5ecb1fb27cd1fb2ed11
SHA12bd0e4fc3c11ec1cdde9ded60541c3d987565b32
SHA256ee46297e58ad483f3a9c5c8d26fa8695a752e1a45a91b99ea6fbac0663c3b130
SHA5126805d22b63fa8c88078cc3c57bba0f8d7e60c9da1d5b0de702dead5b74481f2a0cd5ed654f9d571036864eb4ecb22106f81a154d755e083eba46d470736d4a01
-
C:\Users\Admin\AppData\Local\Temp\7801cfda-ec9f-4eb2-9b53-8a4593dd089b.vbsFilesize
711B
MD56288b97505a506da782c796745a920ec
SHA1abd139d11c51b02b158cd9ef806099bdab4e949e
SHA2566e52b3b2ba3efa87606052a77445a8f409c67245100aa23c3f0f42d139052e99
SHA5124e61334fd7d1a35f79b06b27235eb6d1af1edda3b0e1390b97358a86bf863d719113bd9b4688b67cf64c1b6dce7c95ee40224817766aa71b70561c07537ce62a
-
C:\Users\Admin\AppData\Local\Temp\920c4aed-5f1a-4400-b47d-ce50048f82e2.vbsFilesize
710B
MD5ee8edc7b01816fb581806635a55240c0
SHA10c234bd4bfed5b0633634bc9c60a6c7702da0a46
SHA2564e1a069d574b01c1407518463d6ddc37408af44edda982d138d4618f0046cd58
SHA512fab39ea0fbcc1a11daf0eb24661cc25ed51c5eb2a57d5fdd8c6450a519a9899be714b4e663ab575521fe4cfc84e0358885c1874a54f2ea9de89c3457b4a25ec4
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exeFilesize
1.7MB
MD594bac967cb5ad8c8379a409c2c620212
SHA19d60be3ece1700cf5ea83da272869a14334bfb08
SHA256e3351b1acb6fe1a38cae6e924768c3594f9a65757311d31f9c2e0c71f0acca76
SHA512fa796ad334e86c80e1b49bdc9a315afd9248a34a674d80b4965a7192096874f54df5a266a4388c0604a3787962ed2eddc7b832f17457cca0ac9f856b9366ee9f
-
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-file-l1-2-0.dllFilesize
21KB
MD51c58526d681efe507deb8f1935c75487
SHA10e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA5128edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1
-
C:\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-localization-l1-2-0.dllFilesize
21KB
MD5724223109e49cb01d61d63a8be926b8f
SHA1072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA2564e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA51219b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c
-
C:\Users\Admin\AppData\Local\Temp\_MEI29922\python311.dllFilesize
5.5MB
MD59a24c8c35e4ac4b1597124c1dcbebe0f
SHA1f59782a4923a30118b97e01a7f8db69b92d8382a
SHA256a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7
SHA5129d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b
-
C:\Users\Admin\AppData\Local\Temp\_MEI29922\ucrtbase.dllFilesize
992KB
MD50e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA14189f4459c54e69c6d3155a82524bda7549a75a6
SHA2568a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd
-
C:\Users\Admin\AppData\Local\Temp\b925ccb4-57cf-4818-81a4-032fb517422e.vbsFilesize
487B
MD54b8718b42ef74980039023e39689e6e4
SHA174bf95bd367ef60e813cb7f909d2619623de4bf9
SHA2562a45088fadf2f267da6786e829090b3dab420d23db2b569ea8924e89f77183fa
SHA512ece3e59cc237d76d47b6bbace2a4b60c5f4fdee4e49aad0cf1176539bcd6202580a13262a5720f4da855197f46d075652907498b212cd9f8f839ddbf87f4927e
-
C:\Users\Admin\AppData\Local\Temp\bc29f2fa-d7f8-48b1-a683-5b4a4216fe66.vbsFilesize
711B
MD5ac3509ec838c0505e700040ebe37be7f
SHA1f262fb594dbdd5de06072f128da29423a7ed3b14
SHA2568641d17ce98b1cab414fa8cbe16f5b67eddefc3ee0c7a1168983cff1d38d15e5
SHA5129a0731b6d7a0b0a21353e546979e656e2d78e00399a576b681c15114952ae015f6ab84b61bce920b298ae197ba1afe92216886d4fa4f293bf320fe5db7836e73
-
C:\Users\Admin\AppData\Local\Temp\c90fc8cd-fe8d-49f5-9cb5-178dae200074.vbsFilesize
711B
MD5fb2d35147c9197474acd33765747bf62
SHA18e065c8151b1d13d775bbcf9cf31e0f6d284f8d2
SHA2568dd4ea3276685234844a8b2c792fd82c2b4071a0f45c67b90dbf97c479ddea43
SHA512137f283290b8d8380da9a1e105f854b15d3b3ff68785fac5ee6f5070676ddea0cd2879ee6ff010ffd5dfee5dfefdee62b7da588d37a377fd346da9acac3206fc
-
C:\blockbrowserfontref\NJkyNjia8UfT.batFilesize
37B
MD52ce72bdfcfea06524c9fdb5b376898cb
SHA15fdd4050e4a71f2dfefb12e55e49f9d08fdd49b3
SHA2565a8124f36cdaff184844eb28e1eb49fd29b83632a0995398312a2d136969a21b
SHA512cf5356c8bf1ba99d7c42d5f4989de8fb13ae5260297f81d136d66c00c10f98c3b6a62c88da21eca26e2098ff3d107fbb8c331830ff417a02c14fd1484b079f81
-
C:\blockbrowserfontref\itVJoLv8U.vbeFilesize
208B
MD56b7d585fa23f467144e38fd8d87ce65b
SHA1c6d0cbe286ee6b199bc85dd9e19fdca8aba89469
SHA256935001f4e3b76448cfd852ffa5d8c8d4222c536d585b0944c38c8e0f5235b2d6
SHA512ee47be5b67b926e3ce10ab1bbd7b132e122d9387791840f34cc25f55fe1f65c8d3934e8bbd30fd0bca9317d23030a85bd50ac9a1e1d2d882908c2679eff07d9d
-
\Users\Admin\AppData\Local\Temp\HyperLix.exeFilesize
9.8MB
MD5edbd1d66fc17605a5a6d31eefcf12bff
SHA15ea7852db625ba57e8cc04206e0c99492385f39a
SHA256dc059b4e721219525c803617c5dfbea0df9e0a39bd43d85e113a2a4183ae0550
SHA51239203efcc10951c82bf8ac531e3bae8cad92e18c9bd31b3be89f16d5361bfc1bc7f24ea62ddc5b39a45f2f617840c951ea863ab317e160f22124df823aa6f5bd
-
\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-file-l2-1-0.dllFilesize
18KB
MD5bfffa7117fd9b1622c66d949bac3f1d7
SHA1402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA2561ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f
-
\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-processthreads-l1-1-1.dllFilesize
21KB
MD5517eb9e2cb671ae49f99173d7f7ce43f
SHA14ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA25657cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be
-
\Users\Admin\AppData\Local\Temp\_MEI29922\api-ms-win-core-timezone-l1-1-0.dllFilesize
21KB
MD5d12403ee11359259ba2b0706e5e5111c
SHA103cc7827a30fd1dee38665c0cc993b4b533ac138
SHA256f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781
SHA5129004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0
-
\blockbrowserfontref\Agentsvc.exeFilesize
1.4MB
MD53838335da14cea139c2ac51bce47b3e7
SHA12cff0de5e1fad90672cac8a8354fac63c5a67f38
SHA256ff1d4fc95e90a6e9469d1b3075c00a49b575f6e365f6773d09ca5eb05b8e70aa
SHA51206576f15ff248577ed77f3bc13e4cda846281a181cf23978e60698ba4adf287fc299aa65293581356233f21e884fcf449f6d4e92a313468ac70049f4a8f24a0a
-
memory/836-2129-0x0000000000020000-0x0000000000196000-memory.dmpFilesize
1.5MB
-
memory/1012-2144-0x00000000001A0000-0x0000000000316000-memory.dmpFilesize
1.5MB
-
memory/1012-2145-0x0000000002160000-0x0000000002172000-memory.dmpFilesize
72KB
-
memory/1100-2121-0x0000000000340000-0x00000000004B6000-memory.dmpFilesize
1.5MB
-
memory/1272-2020-0x0000000000E30000-0x0000000000FA6000-memory.dmpFilesize
1.5MB
-
memory/1476-1024-0x0000000002150000-0x0000000002160000-memory.dmpFilesize
64KB
-
memory/1476-1021-0x00000000007F0000-0x0000000000806000-memory.dmpFilesize
88KB
-
memory/1476-1026-0x0000000002130000-0x000000000213C000-memory.dmpFilesize
48KB
-
memory/1476-1028-0x0000000002170000-0x000000000217A000-memory.dmpFilesize
40KB
-
memory/1476-1023-0x0000000002140000-0x0000000002152000-memory.dmpFilesize
72KB
-
memory/1476-1027-0x0000000002160000-0x000000000216A000-memory.dmpFilesize
40KB
-
memory/1476-1022-0x00000000005C0000-0x00000000005C8000-memory.dmpFilesize
32KB
-
memory/1476-1025-0x0000000000810000-0x000000000081A000-memory.dmpFilesize
40KB
-
memory/1476-1019-0x0000000000820000-0x0000000000996000-memory.dmpFilesize
1.5MB
-
memory/1476-1020-0x0000000000650000-0x000000000066C000-memory.dmpFilesize
112KB
-
memory/1820-2113-0x0000000000360000-0x00000000004D6000-memory.dmpFilesize
1.5MB
-
memory/2320-2056-0x0000000001350000-0x00000000014C6000-memory.dmpFilesize
1.5MB
-
memory/2468-2079-0x00000000001F0000-0x0000000000366000-memory.dmpFilesize
1.5MB
-
memory/2584-2091-0x0000000000DE0000-0x0000000000F56000-memory.dmpFilesize
1.5MB
-
memory/2700-2104-0x0000000000410000-0x0000000000422000-memory.dmpFilesize
72KB
-
memory/2700-2103-0x00000000010C0000-0x0000000001236000-memory.dmpFilesize
1.5MB
-
memory/2704-2033-0x0000000000620000-0x0000000000632000-memory.dmpFilesize
72KB
-
memory/2704-2032-0x0000000000F30000-0x00000000010A6000-memory.dmpFilesize
1.5MB
-
memory/2912-1039-0x0000000000CE0000-0x0000000000E56000-memory.dmpFilesize
1.5MB