Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10/07/2024, 13:06
Static task
static1
Behavioral task
behavioral1
Sample
35DE7C29B04A8DDF9846DC4E72EADFA8.exe
Resource
win7-20240704-en
General
-
Target
35DE7C29B04A8DDF9846DC4E72EADFA8.exe
-
Size
4.1MB
-
MD5
35de7c29b04a8ddf9846dc4e72eadfa8
-
SHA1
6809d9310993ae69cb0830666090f29f3147dde7
-
SHA256
b7c1f1f97c8a58f45f777ea7651b7cc691878a770fe36edc2e37fc3f02595ded
-
SHA512
f825fe5d157e2a09f12d924b2ce261ca65e707fd1f73bfb7412de8a440b4b8dd386ebcf2fbe6143dcfbed424edacd1a4e4284786941002b0a8a8a547f33b9c97
-
SSDEEP
98304:wzpg8gUmhLVYgQjxvDS875vO5504aswc22JXm/o/189MsuhebehGOG:lBUmVf+xDvOM4at2JBaiRgbGG
Malware Config
Signatures
-
Process spawned unexpected child process 18 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2972 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1636 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2208 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2288 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1224 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1244 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1368 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1708 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2304 schtasks.exe 36 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 2304 schtasks.exe 36 -
Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2984 powershell.exe 884 powershell.exe 2532 powershell.exe 2992 powershell.exe 656 powershell.exe 3012 powershell.exe 2124 powershell.exe 556 powershell.exe 2100 powershell.exe 988 powershell.exe 3068 powershell.exe 2380 powershell.exe 2388 powershell.exe 2168 powershell.exe 2988 powershell.exe 304 powershell.exe 2200 powershell.exe 3000 powershell.exe 876 powershell.exe -
Executes dropped EXE 4 IoCs
pid Process 2812 Win 10 Tweaker.exe 2704 DCRatBuild.exe 1048 AgentWeb.exe 2920 AgentWeb.exe -
Loads dropped DLL 4 IoCs
pid Process 2720 35DE7C29B04A8DDF9846DC4E72EADFA8.exe 2720 35DE7C29B04A8DDF9846DC4E72EADFA8.exe 2636 cmd.exe 2636 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ipinfo.io 3 ipinfo.io -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Windows Sidebar\sppsvc.exe AgentWeb.exe File created C:\Program Files\Windows Sidebar\0a1fd5f707cd16 AgentWeb.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\smss.exe AgentWeb.exe File created C:\Program Files (x86)\Common Files\System\Ole DB\69ddcba757bf72 AgentWeb.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\PLA\Reports\Idle.exe AgentWeb.exe File created C:\Windows\PLA\Reports\6ccacd8608530f AgentWeb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Win 10 Tweaker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Win 10 Tweaker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Win 10 Tweaker.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 AgentWeb.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 AgentWeb.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 664 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1636 schtasks.exe 1244 schtasks.exe 1368 schtasks.exe 2400 schtasks.exe 1224 schtasks.exe 548 schtasks.exe 2004 schtasks.exe 2972 schtasks.exe 2288 schtasks.exe 1484 schtasks.exe 832 schtasks.exe 2204 schtasks.exe 1912 schtasks.exe 1856 schtasks.exe 1488 schtasks.exe 2208 schtasks.exe 2220 schtasks.exe 1708 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe 1048 AgentWeb.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2920 AgentWeb.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeRestorePrivilege 2812 Win 10 Tweaker.exe Token: SeBackupPrivilege 2812 Win 10 Tweaker.exe Token: SeTakeOwnershipPrivilege 2812 Win 10 Tweaker.exe Token: SeDebugPrivilege 1048 AgentWeb.exe Token: SeRestorePrivilege 2812 Win 10 Tweaker.exe Token: SeBackupPrivilege 2812 Win 10 Tweaker.exe Token: SeTakeOwnershipPrivilege 2812 Win 10 Tweaker.exe Token: SeDebugPrivilege 876 powershell.exe Token: SeDebugPrivilege 3068 powershell.exe Token: SeDebugPrivilege 2200 powershell.exe Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 2124 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2992 powershell.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeDebugPrivilege 2388 powershell.exe Token: SeDebugPrivilege 2988 powershell.exe Token: SeDebugPrivilege 656 powershell.exe Token: SeDebugPrivilege 988 powershell.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 556 powershell.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeDebugPrivilege 304 powershell.exe Token: SeDebugPrivilege 884 powershell.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 2920 AgentWeb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2812 2720 35DE7C29B04A8DDF9846DC4E72EADFA8.exe 30 PID 2720 wrote to memory of 2812 2720 35DE7C29B04A8DDF9846DC4E72EADFA8.exe 30 PID 2720 wrote to memory of 2812 2720 35DE7C29B04A8DDF9846DC4E72EADFA8.exe 30 PID 2720 wrote to memory of 2812 2720 35DE7C29B04A8DDF9846DC4E72EADFA8.exe 30 PID 2720 wrote to memory of 2704 2720 35DE7C29B04A8DDF9846DC4E72EADFA8.exe 31 PID 2720 wrote to memory of 2704 2720 35DE7C29B04A8DDF9846DC4E72EADFA8.exe 31 PID 2720 wrote to memory of 2704 2720 35DE7C29B04A8DDF9846DC4E72EADFA8.exe 31 PID 2720 wrote to memory of 2704 2720 35DE7C29B04A8DDF9846DC4E72EADFA8.exe 31 PID 2704 wrote to memory of 2808 2704 DCRatBuild.exe 32 PID 2704 wrote to memory of 2808 2704 DCRatBuild.exe 32 PID 2704 wrote to memory of 2808 2704 DCRatBuild.exe 32 PID 2704 wrote to memory of 2808 2704 DCRatBuild.exe 32 PID 2808 wrote to memory of 2636 2808 WScript.exe 33 PID 2808 wrote to memory of 2636 2808 WScript.exe 33 PID 2808 wrote to memory of 2636 2808 WScript.exe 33 PID 2808 wrote to memory of 2636 2808 WScript.exe 33 PID 2636 wrote to memory of 1048 2636 cmd.exe 35 PID 2636 wrote to memory of 1048 2636 cmd.exe 35 PID 2636 wrote to memory of 1048 2636 cmd.exe 35 PID 2636 wrote to memory of 1048 2636 cmd.exe 35 PID 1048 wrote to memory of 2124 1048 AgentWeb.exe 55 PID 1048 wrote to memory of 2124 1048 AgentWeb.exe 55 PID 1048 wrote to memory of 2124 1048 AgentWeb.exe 55 PID 1048 wrote to memory of 3068 1048 AgentWeb.exe 56 PID 1048 wrote to memory of 3068 1048 AgentWeb.exe 56 PID 1048 wrote to memory of 3068 1048 AgentWeb.exe 56 PID 1048 wrote to memory of 2380 1048 AgentWeb.exe 57 PID 1048 wrote to memory of 2380 1048 AgentWeb.exe 57 PID 1048 wrote to memory of 2380 1048 AgentWeb.exe 57 PID 1048 wrote to memory of 2984 1048 AgentWeb.exe 58 PID 1048 wrote to memory of 2984 1048 AgentWeb.exe 58 PID 1048 wrote to memory of 2984 1048 AgentWeb.exe 58 PID 1048 wrote to memory of 556 1048 AgentWeb.exe 59 PID 1048 wrote to memory of 556 1048 AgentWeb.exe 59 PID 1048 wrote to memory of 556 1048 AgentWeb.exe 59 PID 1048 wrote to memory of 2100 1048 AgentWeb.exe 60 PID 1048 wrote to memory of 2100 1048 AgentWeb.exe 60 PID 1048 wrote to memory of 2100 1048 AgentWeb.exe 60 PID 1048 wrote to memory of 304 1048 AgentWeb.exe 61 PID 1048 wrote to memory of 304 1048 AgentWeb.exe 61 PID 1048 wrote to memory of 304 1048 AgentWeb.exe 61 PID 1048 wrote to memory of 2200 1048 AgentWeb.exe 62 PID 1048 wrote to memory of 2200 1048 AgentWeb.exe 62 PID 1048 wrote to memory of 2200 1048 AgentWeb.exe 62 PID 1048 wrote to memory of 988 1048 AgentWeb.exe 63 PID 1048 wrote to memory of 988 1048 AgentWeb.exe 63 PID 1048 wrote to memory of 988 1048 AgentWeb.exe 63 PID 1048 wrote to memory of 2388 1048 AgentWeb.exe 64 PID 1048 wrote to memory of 2388 1048 AgentWeb.exe 64 PID 1048 wrote to memory of 2388 1048 AgentWeb.exe 64 PID 1048 wrote to memory of 656 1048 AgentWeb.exe 65 PID 1048 wrote to memory of 656 1048 AgentWeb.exe 65 PID 1048 wrote to memory of 656 1048 AgentWeb.exe 65 PID 1048 wrote to memory of 3000 1048 AgentWeb.exe 66 PID 1048 wrote to memory of 3000 1048 AgentWeb.exe 66 PID 1048 wrote to memory of 3000 1048 AgentWeb.exe 66 PID 1048 wrote to memory of 3012 1048 AgentWeb.exe 67 PID 1048 wrote to memory of 3012 1048 AgentWeb.exe 67 PID 1048 wrote to memory of 3012 1048 AgentWeb.exe 67 PID 1048 wrote to memory of 884 1048 AgentWeb.exe 69 PID 1048 wrote to memory of 884 1048 AgentWeb.exe 69 PID 1048 wrote to memory of 884 1048 AgentWeb.exe 69 PID 1048 wrote to memory of 876 1048 AgentWeb.exe 70 PID 1048 wrote to memory of 876 1048 AgentWeb.exe 70 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\35DE7C29B04A8DDF9846DC4E72EADFA8.exe"C:\Users\Admin\AppData\Local\Temp\35DE7C29B04A8DDF9846DC4E72EADFA8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\Win 10 Tweaker.exe"C:\Users\Admin\AppData\Local\Temp\Win 10 Tweaker.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\HyperChainfontsavesmonitor\VPTeWp0smbQ3qHZZcYkR4mgdSacpq1BQvDCAsQjp2MnhMD2wVcQQLBRVQ.vbe"3⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\HyperChainfontsavesmonitor\ye0QVtfzdmAHBoO0xyfpKNTjr1iJYvGquri2e5NU7SmBq2hfP7YACWvOyXf.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\HyperChainfontsavesmonitor\AgentWeb.exe"C:\HyperChainfontsavesmonitor/AgentWeb.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/HyperChainfontsavesmonitor/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\Idle.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\smss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\Ole DB\smss.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\sppsvc.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\HyperChainfontsavesmonitor\WmiPrvSE.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\HyperChainfontsavesmonitor\AgentWeb.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2992
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B5PzsbuUqI.bat"6⤵PID:2612
-
C:\Windows\system32\chcp.comchcp 650017⤵PID:1476
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- Runs ping.exe
PID:664
-
-
C:\HyperChainfontsavesmonitor\AgentWeb.exe"C:\HyperChainfontsavesmonitor\AgentWeb.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\Reports\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\PLA\Reports\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\5ba42562-3a8b-11ef-9d17-d685e2345d05\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\Ole DB\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\HyperChainfontsavesmonitor\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\HyperChainfontsavesmonitor\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\HyperChainfontsavesmonitor\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentWebA" /sc MINUTE /mo 11 /tr "'C:\HyperChainfontsavesmonitor\AgentWeb.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentWeb" /sc ONLOGON /tr "'C:\HyperChainfontsavesmonitor\AgentWeb.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AgentWebA" /sc MINUTE /mo 14 /tr "'C:\HyperChainfontsavesmonitor\AgentWeb.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD54b20a0a921bf2778c6d643f3afdb8419
SHA1195f17c986b1942e62c2269d1d0b2a63e18d110d
SHA256e7b025bc1f1fc181c8de6fc035d28ddf3acbbb394cbc29f46dc4b39f96718442
SHA512f651a219ca65038ae6b9d3580ea23bc1e9411e7dea46c1f07afdfa12306803ce52e6477de5cefb3aa937785d08a71aaf7ad2b3e5c22eef3df469c8be4e82e372
-
Filesize
263B
MD508171dc11a58c300408352870959ce45
SHA15d61e429f578cea630ea54cc4a27239a00e3ae08
SHA2565f140165d4ec9dfd66792e9cfb710b0ee1f65f2b9ec276746f1a93037c963e47
SHA5127d99d4fa9840fb80bcd87a86353464408f1a0a68a4ff428d4a0d28af085fcbd1901c62c560c9c24896bd84237b641c84afea9319ee5ed9fc892c060132c8c1fb
-
Filesize
90B
MD5880fd79f115c3b7f289427dfc8c4950c
SHA187ee49153a0cd7d585b9f181b556189254c2117d
SHA256c95faa1c733a2f18bd665a7a9c8a82d256edfd066c1ddaff7d54841e45cba6d0
SHA51217febaa1fda2027885a554ad43d3e060454b3bb93d88ef82bc9c89dcbe574c8316ba665c3bcfa4b9d9df45014820acbb55081b15dc31c60774a3d5a9221cbeea
-
Filesize
170B
MD5e9f06ad17087f5617a852dde21118d79
SHA12c0b2b7ec7287fa8f19260b8c04c97b20d032f67
SHA256bee64a1fa71d0a7415327164ff0fd20a6045edd1221f19a78517825d3aa4cd37
SHA5124f9935c887ab85f480582584b23b2714587924981503b0c3c60ac19c914f4b6b0a94dbecef8ecd66ef321da16b79ad79d1252af1043323e5f72931e669b20858
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5c3f74051d170260f16e65566c26f3766
SHA12d6a08e48cbffdadaa2276971724dd6a26154f98
SHA2568a162ab5c2b6852b0939fd5c46a6a9a77438729fd463f653b5d0e68f8ff2a497
SHA5126c1bceda27764eba838f10d476b315ee4c88460c0cc89a8a886a037ca1c4220db01c0516cc717065cd2f7c4f542add07d842f412239e286c782bb88317ce886e
-
Filesize
2.8MB
MD5dab4e930c87d238e4cdb33e0e64c3b28
SHA1aaed628d72ad1c16aeb8957ce606783352d5fb1f
SHA2568577d3ed5cf75eea951fbadd42d61eda1b23e0353e7f39db3b2d67085759ef9e
SHA512dd02f7b2609032437714af6ae3e385268f68817c20adcef8b038f536466f1a31bf838a0bd3ec942b2a2d47ba0da13fa642573edd4864c0bbe498e5493bf80f09
-
Filesize
1.7MB
MD5284adb37469a257c1c38771f779fe221
SHA1e9472ae1b52020ddcbe786672ac10cca78acdef8
SHA2566eef0272844e65f51d32eec425fb5e2eb2490ddef9ab14b7f1af569d154940a8
SHA5123be96daa1a098b8739a6558acff5486a728ecad8a31ea29927f88d64d4071bd1c54311205a3c8bbb301e129c607b5fa8e75dfb88ca12d9ff333354f4b6c9995b