Analysis
-
max time kernel
899s -
max time network
886s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
01-02-2025 13:27
General
-
Target
test.exe
-
Size
1.1MB
-
MD5
311fecbbbd923a898bad691c92b6d973
-
SHA1
3adef01dc440eca910d317da3a990bd9a0f6d0b3
-
SHA256
15a42baf95ff65841b24c11950edc8c792b29d5a47ffd69290515a8a56066937
-
SHA512
4ba3775c90adfc71f2f314f3d545e520a13cee81495304cea98d079d347c3a8b9d33483f964a3d7aa437936437a938529f7817b8a69a8d4ddc5d978885d143c1
-
SSDEEP
12288:aRZ+IoG/n9IQxW3OBsee2X+t4RbCqDn2Bx2cpjvzsX6a4X6594tCPjp42nIlf4Qg:U2G/nvxW3Ww0tCdx2cpjv64X6trn3nF
Score
10/10
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process 30 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Executes dropped EXE 64 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
-
Drops file in Program Files directory 7 IoCs
-
Drops file in Windows directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockportdriverSvc\emG76fp3.vbe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BlockportdriverSvc\vaBKK68wr.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\BlockportdriverSvc\HyperContainer.exe"C:\BlockportdriverSvc\HyperContainer.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1gNezZx45.bat"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat"7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat"11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:214⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat"15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:216⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat"17⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:218⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"19⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:220⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QO5FEA9wo1.bat"21⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:222⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"23⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:224⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"24⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"25⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:226⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"26⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"27⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:228⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"28⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xgactKMGCU.bat"29⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:230⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"30⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"31⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:232⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"32⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"33⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:234⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"34⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"35⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:236⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"36⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"37⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:238⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"38⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat"39⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:240⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"40⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"41⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:242⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"42⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"43⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:244⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"44⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iMm147yiIR.bat"45⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:246⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"46⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"47⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:248⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"48⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"49⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:250⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"50⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"51⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:252⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"52⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat"53⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:254⤵
-
-
C:\Recovery\WindowsRE\sysmon.exe"C:\Recovery\WindowsRE\sysmon.exe"54⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\csrss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\BlockportdriverSvc\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\BlockportdriverSvc\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\BlockportdriverSvc\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\TAPI\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperContainerH" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Pictures\HyperContainer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperContainer" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\HyperContainer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "HyperContainerH" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Pictures\HyperContainer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Public\Pictures\csrss.exeC:\Users\Public\Pictures\csrss.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat"2⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"4⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MQa1PIx8rY.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"2⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"4⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MQa1PIx8rY.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat"18⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:219⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"20⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:221⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"22⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:223⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"23⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat"24⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:225⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"25⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ssDSZpddA3.bat"26⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:227⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"27⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"28⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:229⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"29⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"30⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:231⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"31⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"32⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:233⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"33⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"34⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:235⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"35⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Recovery\WindowsRE\conhost.exeC:\Recovery\WindowsRE\conhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Performance\WinSAT\dwm.exeC:\Windows\Performance\WinSAT\dwm.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Pictures\csrss.exeC:\Users\Public\Pictures\csrss.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"2⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"4⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KVYyjDtEXm.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\fontdrvhost.exe"13⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Recovery\WindowsRE\sysmon.exeC:\Recovery\WindowsRE\sysmon.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\BlockportdriverSvc\smss.exeC:\BlockportdriverSvc\smss.exe1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"2⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\BlockportdriverSvc\smss.exe"C:\BlockportdriverSvc\smss.exe"3⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"4⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
-
C:\BlockportdriverSvc\smss.exe"C:\BlockportdriverSvc\smss.exe"5⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\BlockportdriverSvc\smss.exe"C:\BlockportdriverSvc\smss.exe"7⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\BlockportdriverSvc\smss.exe"C:\BlockportdriverSvc\smss.exe"9⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\BlockportdriverSvc\smss.exe"C:\BlockportdriverSvc\smss.exe"11⤵
-
-
-
-
-
-
-
-
-
-
-
C:\Program Files\Internet Explorer\RuntimeBroker.exe"C:\Program Files\Internet Explorer\RuntimeBroker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"1⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"2⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:23⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jef2EZNQSo.bat"4⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:25⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"5⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat"6⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"7⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat"8⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"9⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat"10⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"11⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"12⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"13⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"14⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:215⤵
-
-
C:\Users\Public\Documents\My Pictures\HyperContainer.exe"C:\Users\Public\Documents\My Pictures\HyperContainer.exe"15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat"16⤵
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:217⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Public\Pictures\csrss.exeC:\Users\Public\Pictures\csrss.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
829KB
MD552d7b4bdf55793ece571ff386a12c600
SHA1fec0f7a7faa7fcb4b6fb3bf64b3910a12f09d5d9
SHA256b79b92f44a036b9f3bd509120175b106678cfd073a5ee5feedd9252cdff15b28
SHA51222220909ec496247edfe63acbfaa299a653721d42a7fe4b6ec04898f69bcff7e7658835b7baf8ea9159558815ec4f0da4559a3d5e01ac5b141cebc9f56cff94b
-
Filesize
204B
MD5e7d762279ea82de2d93b487286a5cf13
SHA14a2157fa966fc956c55fe14ba3d333aad60b1ad5
SHA25604d7fd34647ff9d903c680a92d18cbbf189f825ca7a99533daaf92dd030bc02d
SHA51296dbec49aa0406716e935512553a20a6bba8e6bd2e81dc0209548e8f973fdaa4adab79cce00204d3014ef4f32a04835c1ef10c6b34929ca74f0154e76b7a6dec
-
Filesize
42B
MD575d50a7647f639cb7ca671ef64df8598
SHA10367e25444b4bec52c0f51246d0b758d20750820
SHA256f53624597136546cc93fd982308c205642632f29ce1956298ab7c10160a9d2e8
SHA512a2331b9eb9375fc83eb389e6b33886c252b455dd3ab6ca690cf0a14ad0b950675d75eb2c5d3d7d85d799eb0b31eceebd20cb9b74ea9303c3a24a1a1927946471
-
Filesize
1KB
MD5b4e91d2e5f40d5e2586a86cf3bb4df24
SHA131920b3a41aa4400d4a0230a7622848789b38672
SHA2565d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319
-
Filesize
197B
MD5620f60c19318626348ad4059b85c35e9
SHA156c8f1bf6105e017dcfed76002e4c89e8b646fff
SHA256733dd1428de7aec7770ba048421a8dc5526347326f8502c443caa32682defab9
SHA5128db7a9a08e5f7e69efa498be36cfcc1b728f7ea3d454b574eaba54aa53b8fed2d9887918e0c72b912e7f3ae1776aaf8c65e41ead75412f01fae42018456542b6
-
Filesize
197B
MD5b50feb1dc6d6d7c056e8eddd6d7b29b8
SHA1005e099d7da743a6b224d5b442ee3aa79bc7aea3
SHA2567ced08686c16dc39f580d66c890b2d7e357716d9e8d4bae1f8bfd35445e7b87e
SHA512cabd698cd78c2bc5dcb2ff43b16ac7afbcdffea9ff67e3138e6c93119bab93f3da6bca826670f060eac79fbb48352dbb374831b9bd504142b8545a51cd244a31
-
Filesize
197B
MD559241ce0236880915f1be9bdde97f66d
SHA12f9e086b88c9a0794fe63ad83c2d9dc7fa926ce0
SHA256aa86862ff1cdd831b2190d8512ae457ebf15d54bff059303f4495fb9a32c4d5f
SHA512bed072185b407b7eb65c68266db72abb64424520ba8265dc58ac482cfb3572d7bae66153cfa3840f877b4d722b77634b0319c67d0ac08f503eee6c25db9e9a08
-
Filesize
197B
MD56a60d7154e4c6b644c1b920aa05daab1
SHA1d954949bb24514020d246471041557bba9930875
SHA2563d2af18ea6f5f6ac9367d55320b7f558bf89f3ef24e70a57cc7c8d1316e0dbb7
SHA512d5e56dad3ea57001a41e69ad1ff5082ab3f092bdd6f231fd8e433c28ddbcc8fdb56dfa6805f2b62256c8b5f89e698450eb369f0f1006b180f82a0758f855f55b
-
Filesize
197B
MD5ea4fec31120d1852c920020083a197e6
SHA1a09685446be0703271290db7b0c77138fc32bf85
SHA256e099f6f4963696381e540dae929ce6f1eb8a7f5fdc573ac5891b318edca646aa
SHA512cc74b22553e2106a76371f4608b9316ebf1806875629f44101948befe8e749a752ded0844691fa14c928555ff43f06139ce980240f306804225b6492798d80b4
-
Filesize
197B
MD5c40753d00e8af67dac48950e41e0644b
SHA18574c5636c8fa92ad83d9f1d318b0b17fac92dfa
SHA256d6fb029db4510ba4bcba9d6870cfe483dbdd7b9869074de6aa2e5ec74611e86d
SHA5129934e3ad707dd19d104c6ce4d71e931f3da3df97470b83d0156d1ee64fab50464c9ba26be5aa6bbe8392e2b7a9cf23895b1579daf84ae5f565cce4d07776f84b
-
Filesize
197B
MD5af0afed58d7259d8ffe3809073a77fad
SHA16602c88e25b38a1436c9c8a381a5a590b4eac6a1
SHA256a868100c6cf083ceace252af124c1ecf850401c49b03355ee00c6170c773f563
SHA512e1d44018989256afc5e09520b193cdc119408a038cbeec8b500dc50bdae2e783596381e5d9705ec52f89da641420b4262f75c078d58cb6c59e7dcf1d31456ad4
-
Filesize
197B
MD53f87cfd3f35804f01705739671ea2662
SHA14aaa58a5a95cb6a47bef7dcd2f8a7254c6341ef3
SHA256fb6dbd830539527c60d7a2fff3b3839527f00a4d4c70ce52fcbc6a86756c2280
SHA512136aa20529b0d91ed7c5a5c60549bd3881eafadb6c4846edec963a9d17057deec7bea0c08eb5b84ea68dd46048225f65391e13d839a59a52b9775e0d072a401d
-
Filesize
197B
MD5225ef552b24d7e4d5dd376a069af70b7
SHA127b36e43f8e738e771aaf468048efb0a3673425e
SHA2568e8e02d658f1f93bd076f7aa979e4d73745893b327d8d50c088c348bb12ceb8f
SHA512212e787a7806e5353222575d2ea6d0c8b5755b972756cc694c89c7718eb8c6756faf743792f559f718d5485ab75d3f4c476b8c07881fd9ae4929d0f660373314
-
Filesize
197B
MD5b3a750aecf2564f50c564f50e8c35d98
SHA178ab0ecfc5698d56e4c6e0a64dbb4c8829d0d884
SHA256d45f65274f7873550c65b2a6674dbd93133cfcb7dd403a1ac8b362e6a829524c
SHA5128488a506ae8c4d54c3cfe7d29ade736ff8ede3a25bb999178dd3874ecd67d4ac72faf3d72647d195ba62a77122d800a292a6d7befc2b01c554af9f9a55c4f60f
-
Filesize
197B
MD5f8d25cca2e989be2679941606d1e9794
SHA13e7f168129ba11906a6edf56d11de691e5515c80
SHA2564a575b37645c116f472b1ca633cc89040a0593bb17fe03d87c5809348d25f667
SHA5122a20e492f0ff3f9e07da09b5525b3860475cc6a6f9543dce359381669ac4d5ec8282400a8ea2ac4f726274491a8803b97f4a561b107a9dd15e5df4da895776c1
-
Filesize
197B
MD556319ac1bd0f1c9bbca4c4bec7201198
SHA175cd189fad55bad16a927a77891e89e5684559e2
SHA25670e22af1958b3f9f7b3a0fad5893aa17d24ccf7d2b8517b6f5cfb3eb452ef547
SHA5127923c162a0ab4fa544a253125066eee9cb134c57bb58832f3bd458726a4b961a81c4aa25f2e980af3a8de206ed411f435fa0ebe4857be2afe082fc73e5153861
-
Filesize
197B
MD567334c11eabee27117d3abbdfcf95b88
SHA1246489fe2f795ec6d54d10f32d02a38e6b988368
SHA2565e973d68c4abbccc2cac4d5c5f1fc3184d6bceef9c70c708ce09756d99f782fe
SHA512fa1244c75f657f4b7eb16ad07c171b1ad703bf06833b644e439b08638958dc9ad951b1062cb390285a1cd958c4453c2511670dbf558c09d8685ad04595e53a72
-
Filesize
197B
MD577d518879029ba97ed45947d0aa3c765
SHA1d8dafc35741b656e5498abfced8c0ca813738b53
SHA256af7362fbb3470e6ef4bf70145397ef7452763ca33c5c13048cdb7f94e63f826b
SHA512ed682a9a22a419098bd8bb48418cc44e61c03748d84d6c4491ac67711a876d8a611f7ec11eae8876fb499d9adf322dd2eb6582577611e0d2d5a48e97332ef2a3
-
Filesize
255B
MD56e39a1317f147932be48e17980ebd06b
SHA1574a5f0c0b2548182a7b7f138248b7b857c690a5
SHA256455d49db9e60c00cd0b962e8f0dc1a9e23833084f19d1a592fc8696e37b48ce5
SHA51260efc74a2697723716c16b713baa3dc62646665132b6afa78e26273ef8f1d00abeb6168f4c1e53c5fef25c4d79af83c8c26ae288888d3f67318174aa4ab94b64
-
Filesize
197B
MD5fbf85378b73a42e139ef22fa9e11ce3f
SHA14b2a88d1f8ded7489870ee4d2e576dff2d15bb10
SHA2565f1298b1c0b9284a33b3d11305423374eec5e3e9abb7499ffd65634657460e45
SHA512c8a75e79989dd6e290cf75b6ba7eb653794e4c7d09327bc1eb8b7ddca0452d9a3db4af380dbab6033c871fd20b418f05276719b9ba006145d76f7b234b619524
-
Filesize
197B
MD5a09597f75437df2778f67345b23b586a
SHA159e82b4ef47a8268052ebea36450d826418f8ab0
SHA256f4b221daf8a06e595c3c2bfd95602ac787c789d6d53f96b0f5598a2892c54d75
SHA5125de9395e0e3b694af0c2ed1d79ef3dd8a6dc222d5d0952a67b4a2f60c0adca6c4af91a1b78aafd4f62759eb1064443c7c18cf18d42e3172fefcf9ed280e2ab33
-
Filesize
197B
MD572a9446091059b4cdab6e4bc244293b3
SHA16ce13680ac9ba181f96d9e1f07df6fe72815cb15
SHA25603d4d25565b84eef99b50bf6bff35cafb4ece7261c76320501bee8f5e20b94c0
SHA512cc8da52c760b8564c447a519a3abfaa1b163cabf530d0d8d22a3fa361b5874512145c1ef9229805a2632d76322c8cfb7e5a24099b94705de7a42b92f13b0199b
-
Filesize
255B
MD5ef4e59f32e0d12a3c62a253ae270a213
SHA13a2b72030dac2aa407faaa23410cf01446fb077f
SHA256079e361acdda026c9274adc62c268a71b126ee0b9103ac012e1caf363cb5ad01
SHA512405a3c524f489ad36a1c65336c74150dab26c7e0d6a81cc8d0bc0747a8e61efc9eb9d5b0722b47d993e6a09dc94dce442d56642b39eefa409290976a22e68684
-
Filesize
197B
MD59da3913b10986d41449743b467a9f43f
SHA1d805efa71086e9b23da0eba662866dee35d9837d
SHA256ad82083be888e4f58306280c47282880ff34aa8c1e15e4d727c29854a4d58c82
SHA512abc8613e04e446d7a7c705b1b750aa7b0e4397284897dbe6f2b69c3cab11b45ce8fac995c3c0be14fa1b696ac19b079cd094341d422c174e65fb41b02e7fd665
-
Filesize
197B
MD5cb5bf93901163176343f2ca09b0aa0b1
SHA1ba63d58033c9d491d9b6f9f3c5b5233584097cf1
SHA2562cc81ef36ffa2859b66ed1ce139e24372c254e2cb4eca2630aef498cf5d41db8
SHA512b101b491373cd5473c1e287df6c166ee138db3fc1ab3914ab6e71f1673bb646d69322ebe4ee07975676106eec09ef83f9ce00625e5a015f3f600c429b548a975
-
Filesize
197B
MD5afa5092b37ba758998661da3195c04b2
SHA1f0c0052a34d6564f9ed3a25e80f8546d7d7cbae8
SHA256a0f7bc0b9572677a64dc9eddcc7b69c4fd97ea15ecff78272a7d075b1efc17ed
SHA5123eac78e132d150e8eda1643f67beb3e07832a7c015e460a4cecfd6aadd65379d3e0978309479f0f864c08fc4d56aa78d0214aa0c1c6bb1f3e6291e1ce72e5914
-
Filesize
197B
MD5d22d6b9227468ef79e086780a6813400
SHA19cf790c847f8a3c882bba653da08c57c9cc8aff7
SHA25656aeba477d105b8c9845f4ecd626e6ca4a0f9527ce4589b7b51ce854956a35bf
SHA5125a50b132b143fe6063df4c473a6d177dc14ee8b78e691c9fa81c70ea3b98e92317c68d02d937617af8856a5f7595de272f4b3cb5d6dad4fdcf2de82fd4d4fa88
-
Filesize
197B
MD503ee446dd71c4e49481b1181c54865a1
SHA153a5fd0193e5429d88446cf1e5648577b3e4429c
SHA25605bdaa04e947a8a3c8cb82d305d75c215e29e7e62ece84a04f4c04630314b462
SHA51215c90e550d4e82151621a861a5fec4720a11de9c1bfb58228d62a034f6483a713ad23f637013cad57085cb6887021199bb1234f677c0baf9713a19a6a90e27f1
-
Filesize
197B
MD58bac8a18d1c4b604dc18dd7446d00ff9
SHA1fa2185e9d0b17c38804961d6cffef8fd86ac2833
SHA256ff00a88bb3f6d7bad38ff46cb075b2a629f5484c137f755ebe20be387ca97c1b
SHA5120a050f5cd2a88448988073a06aa917ed6ae9969a8dcfcd3e1d44bcfd02e5f3b51ba9260dee2ff3b85ed9a8b8c87f732e32778f1e8499411a43dc57ea4f66c532
-
Filesize
197B
MD5e553f57ccee83526702ecf6de20317f1
SHA1cf97e47fd89e52d76604f4fbe9fcc8eff1deb9f8
SHA256766031a19e401587707fea4dd05f3e93ff1b5fd822df9432a04dd9f65395dd3f
SHA512d3444a1f73a2bde4243d6f6c14190bac28fc0bfdcc63b7a7f7d82da114a6d1d59f5455dce105fbd9cce67bba05c8e7c22f0df6b0c20188892f56c73841939755
-
Filesize
8KB
-
Filesize
856KB