b7c1f1f97c8a58f45f777ea7651b7cc691878a770fe36edc2e37fc3f02595ded

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35DE7C29B04A8DDF9846DC4E72EADFA8.exe
Size

4.1MB
MD5

35de7c29b04a8ddf9846dc4e72eadfa8
SHA1

6809d9310993ae69cb0830666090f29f3147dde7
SHA256

b7c1f1f97c8a58f45f777ea7651b7cc691878a770fe36edc2e37fc3f02595ded
SHA512

f825fe5d157e2a09f12d924b2ce261ca65e707fd1f73bfb7412de8a440b4b8dd386ebcf2fbe6143dcfbed424edacd1a4e4284786941002b0a8a8a547f33b9c97
SSDEEP

98304:wzpg8gUmhLVYgQjxvDS875vO5504aswc22JXm/o/189MsuhebehGOG:lBUmVf+xDvOM4at2JBaiRgbGG

Score

10^/10

execution spyware stealer

Malware Config

Signatures

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4536	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1620	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1620	schtasks.exe	92

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3520	powershell.exe
3204	powershell.exe
2476	powershell.exe
1240	powershell.exe
5024	powershell.exe
1508	powershell.exe
4332	powershell.exe
2364	powershell.exe
1588	powershell.exe
3568	powershell.exe
3772	powershell.exe
3836	powershell.exe
4148	powershell.exe
1400	powershell.exe
4288	powershell.exe
4308	powershell.exe
4336	powershell.exe
2236	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	35DE7C29B04A8DDF9846DC4E72EADFA8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation	AgentWeb.exe

Executes dropped EXE 4 IoCs

pid	Process
4556	Win 10 Tweaker.exe
4572	DCRatBuild.exe
1688	AgentWeb.exe
5356	RuntimeBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ipinfo.io
9	ipinfo.io

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0	AgentWeb.exe
File created	C:\Program Files\Windows Defender\SppExtComObj.exe	AgentWeb.exe
File opened for modification	C:\Program Files\Windows Defender\SppExtComObj.exe	AgentWeb.exe
File created	C:\Program Files\Windows Defender\e1ef82546f0b02	AgentWeb.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe	AgentWeb.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\InputMethod\SHARED\RuntimeBroker.exe	AgentWeb.exe
File created	C:\Windows\InputMethod\SHARED\9e8d7a4ca61bd9	AgentWeb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Win 10 Tweaker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Win 10 Tweaker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Win 10 Tweaker.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000_Classes\Local Settings	AgentWeb.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5992	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2500	schtasks.exe
2628	schtasks.exe
3076	schtasks.exe
3240	schtasks.exe
4536	schtasks.exe
1484	schtasks.exe
4780	schtasks.exe
4012	schtasks.exe
3124	schtasks.exe
3936	schtasks.exe
3816	schtasks.exe
3960	schtasks.exe
3860	schtasks.exe
1208	schtasks.exe
1920	schtasks.exe
2580	schtasks.exe
1000	schtasks.exe
2840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe
1688	AgentWeb.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeRestorePrivilege	4556	Win 10 Tweaker.exe
Token: SeBackupPrivilege	4556	Win 10 Tweaker.exe
Token: SeTakeOwnershipPrivilege	4556	Win 10 Tweaker.exe
Token: SeDebugPrivilege	1688	AgentWeb.exe
Token: SeRestorePrivilege	4556	Win 10 Tweaker.exe
Token: SeBackupPrivilege	4556	Win 10 Tweaker.exe
Token: SeTakeOwnershipPrivilege	4556	Win 10 Tweaker.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	4288	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	5356	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 4556	1152	35DE7C29B04A8DDF9846DC4E72EADFA8.exe	86
PID 1152 wrote to memory of 4556	1152	35DE7C29B04A8DDF9846DC4E72EADFA8.exe	86
PID 1152 wrote to memory of 4572	1152	35DE7C29B04A8DDF9846DC4E72EADFA8.exe	87
PID 1152 wrote to memory of 4572	1152	35DE7C29B04A8DDF9846DC4E72EADFA8.exe	87
PID 1152 wrote to memory of 4572	1152	35DE7C29B04A8DDF9846DC4E72EADFA8.exe	87
PID 4572 wrote to memory of 4552	4572	DCRatBuild.exe	88
PID 4572 wrote to memory of 4552	4572	DCRatBuild.exe	88
PID 4572 wrote to memory of 4552	4572	DCRatBuild.exe	88
PID 4552 wrote to memory of 2216	4552	WScript.exe	89
PID 4552 wrote to memory of 2216	4552	WScript.exe	89
PID 4552 wrote to memory of 2216	4552	WScript.exe	89
PID 2216 wrote to memory of 1688	2216	cmd.exe	91
PID 2216 wrote to memory of 1688	2216	cmd.exe	91
PID 4556 wrote to memory of 752	4556	Win 10 Tweaker.exe	93
PID 4556 wrote to memory of 752	4556	Win 10 Tweaker.exe	93
PID 752 wrote to memory of 848	752	cmd.exe	95
PID 752 wrote to memory of 848	752	cmd.exe	95
PID 752 wrote to memory of 4028	752	cmd.exe	96
PID 752 wrote to memory of 4028	752	cmd.exe	96
PID 1688 wrote to memory of 3772	1688	AgentWeb.exe	115
PID 1688 wrote to memory of 3772	1688	AgentWeb.exe	115
PID 1688 wrote to memory of 4148	1688	AgentWeb.exe	116
PID 1688 wrote to memory of 4148	1688	AgentWeb.exe	116
PID 1688 wrote to memory of 1400	1688	AgentWeb.exe	117
PID 1688 wrote to memory of 1400	1688	AgentWeb.exe	117
PID 1688 wrote to memory of 3204	1688	AgentWeb.exe	118
PID 1688 wrote to memory of 3204	1688	AgentWeb.exe	118
PID 1688 wrote to memory of 3520	1688	AgentWeb.exe	119
PID 1688 wrote to memory of 3520	1688	AgentWeb.exe	119
PID 1688 wrote to memory of 3568	1688	AgentWeb.exe	120
PID 1688 wrote to memory of 3568	1688	AgentWeb.exe	120
PID 1688 wrote to memory of 1508	1688	AgentWeb.exe	121
PID 1688 wrote to memory of 1508	1688	AgentWeb.exe	121
PID 1688 wrote to memory of 1588	1688	AgentWeb.exe	122
PID 1688 wrote to memory of 1588	1688	AgentWeb.exe	122
PID 1688 wrote to memory of 2236	1688	AgentWeb.exe	123
PID 1688 wrote to memory of 2236	1688	AgentWeb.exe	123
PID 1688 wrote to memory of 5024	1688	AgentWeb.exe	124
PID 1688 wrote to memory of 5024	1688	AgentWeb.exe	124
PID 1688 wrote to memory of 1240	1688	AgentWeb.exe	125
PID 1688 wrote to memory of 1240	1688	AgentWeb.exe	125
PID 1688 wrote to memory of 4336	1688	AgentWeb.exe	126
PID 1688 wrote to memory of 4336	1688	AgentWeb.exe	126
PID 1688 wrote to memory of 2364	1688	AgentWeb.exe	127
PID 1688 wrote to memory of 2364	1688	AgentWeb.exe	127
PID 1688 wrote to memory of 4332	1688	AgentWeb.exe	128
PID 1688 wrote to memory of 4332	1688	AgentWeb.exe	128
PID 1688 wrote to memory of 4308	1688	AgentWeb.exe	129
PID 1688 wrote to memory of 4308	1688	AgentWeb.exe	129
PID 1688 wrote to memory of 2476	1688	AgentWeb.exe	130
PID 1688 wrote to memory of 2476	1688	AgentWeb.exe	130
PID 1688 wrote to memory of 4288	1688	AgentWeb.exe	131
PID 1688 wrote to memory of 4288	1688	AgentWeb.exe	131
PID 1688 wrote to memory of 3836	1688	AgentWeb.exe	132
PID 1688 wrote to memory of 3836	1688	AgentWeb.exe	132
PID 1688 wrote to memory of 4504	1688	AgentWeb.exe	151
PID 1688 wrote to memory of 4504	1688	AgentWeb.exe	151
PID 4504 wrote to memory of 5676	4504	cmd.exe	153
PID 4504 wrote to memory of 5676	4504	cmd.exe	153
PID 4504 wrote to memory of 5992	4504	cmd.exe	154
PID 4504 wrote to memory of 5992	4504	cmd.exe	154
PID 4504 wrote to memory of 5356	4504	cmd.exe	155
PID 4504 wrote to memory of 5356	4504	cmd.exe	155

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\35DE7C29B04A8DDF9846DC4E72EADFA8.exe
"C:\Users\Admin\AppData\Local\Temp\35DE7C29B04A8DDF9846DC4E72EADFA8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\Win 10 Tweaker.exe
  "C:\Users\Admin\AppData\Local\Temp\Win 10 Tweaker.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c chcp 65001 & cls & compact /compactos:query
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:848
  - - C:\Windows\system32\compact.exe
      compact /compactos:query
      4⤵
      PID:4028
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\HyperChainfontsavesmonitor\VPTeWp0smbQ3qHZZcYkR4mgdSacpq1BQvDCAsQjp2MnhMD2wVcQQLBRVQ.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\HyperChainfontsavesmonitor\ye0QVtfzdmAHBoO0xyfpKNTjr1iJYvGquri2e5NU7SmBq2hfP7YACWvOyXf.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\HyperChainfontsavesmonitor\AgentWeb.exe
        
        "C:\HyperChainfontsavesmonitor/AgentWeb.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/HyperChainfontsavesmonitor/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3568
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2364
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HyperChainfontsavesmonitor\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4332
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\AgentWeb.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\SppExtComObj.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\HyperChainfontsavesmonitor\AgentWeb.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lYhrWgyTRm.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5676
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:5992
        
        C:\HyperChainfontsavesmonitor\RuntimeBroker.exe
        
        "C:\HyperChainfontsavesmonitor\RuntimeBroker.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\InputMethod\SHARED\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\HyperChainfontsavesmonitor\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\HyperChainfontsavesmonitor\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\HyperChainfontsavesmonitor\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AgentWebA" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\AgentWeb.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AgentWeb" /sc ONLOGON /tr "'C:\Users\Default User\AgentWeb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AgentWebA" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\AgentWeb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AgentWebA" /sc MINUTE /mo 10 /tr "'C:\HyperChainfontsavesmonitor\AgentWeb.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AgentWeb" /sc ONLOGON /tr "'C:\HyperChainfontsavesmonitor\AgentWeb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AgentWebA" /sc MINUTE /mo 7 /tr "'C:\HyperChainfontsavesmonitor\AgentWeb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HyperChainfontsavesmonitor\AgentWeb.exe

Filesize
2.5MB

MD5
4b20a0a921bf2778c6d643f3afdb8419

SHA1
195f17c986b1942e62c2269d1d0b2a63e18d110d

SHA256
e7b025bc1f1fc181c8de6fc035d28ddf3acbbb394cbc29f46dc4b39f96718442

SHA512
f651a219ca65038ae6b9d3580ea23bc1e9411e7dea46c1f07afdfa12306803ce52e6477de5cefb3aa937785d08a71aaf7ad2b3e5c22eef3df469c8be4e82e372

Download Submit
C:\HyperChainfontsavesmonitor\VPTeWp0smbQ3qHZZcYkR4mgdSacpq1BQvDCAsQjp2MnhMD2wVcQQLBRVQ.vbe

Filesize
263B

MD5
08171dc11a58c300408352870959ce45

SHA1
5d61e429f578cea630ea54cc4a27239a00e3ae08

SHA256
5f140165d4ec9dfd66792e9cfb710b0ee1f65f2b9ec276746f1a93037c963e47

SHA512
7d99d4fa9840fb80bcd87a86353464408f1a0a68a4ff428d4a0d28af085fcbd1901c62c560c9c24896bd84237b641c84afea9319ee5ed9fc892c060132c8c1fb

Download Submit
C:\HyperChainfontsavesmonitor\ye0QVtfzdmAHBoO0xyfpKNTjr1iJYvGquri2e5NU7SmBq2hfP7YACWvOyXf.bat

Filesize
90B

MD5
880fd79f115c3b7f289427dfc8c4950c

SHA1
87ee49153a0cd7d585b9f181b556189254c2117d

SHA256
c95faa1c733a2f18bd665a7a9c8a82d256edfd066c1ddaff7d54841e45cba6d0

SHA512
17febaa1fda2027885a554ad43d3e060454b3bb93d88ef82bc9c89dcbe574c8316ba665c3bcfa4b9d9df45014820acbb55081b15dc31c60774a3d5a9221cbeea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
2.8MB

MD5
dab4e930c87d238e4cdb33e0e64c3b28

SHA1
aaed628d72ad1c16aeb8957ce606783352d5fb1f

SHA256
8577d3ed5cf75eea951fbadd42d61eda1b23e0353e7f39db3b2d67085759ef9e

SHA512
dd02f7b2609032437714af6ae3e385268f68817c20adcef8b038f536466f1a31bf838a0bd3ec942b2a2d47ba0da13fa642573edd4864c0bbe498e5493bf80f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Win 10 Tweaker.exe

Filesize
1.7MB

MD5
284adb37469a257c1c38771f779fe221

SHA1
e9472ae1b52020ddcbe786672ac10cca78acdef8

SHA256
6eef0272844e65f51d32eec425fb5e2eb2490ddef9ab14b7f1af569d154940a8

SHA512
3be96daa1a098b8739a6558acff5486a728ecad8a31ea29927f88d64d4071bd1c54311205a3c8bbb301e129c607b5fa8e75dfb88ca12d9ff333354f4b6c9995b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2hlqgw0b.ng5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYhrWgyTRm.bat

Filesize
175B

MD5
4081842fdf3c984e7289ea8266c84107

SHA1
808370116e8416b53a42fcc7ebcf59a077fc3dd2

SHA256
76e088a08dee11a0ac517b61d0605291309925ddf3f086b2a07abed6d3655def

SHA512
9e6ae56b605b044e298cc92055bf2123024592dbf67cb6784f3e0774e0f994b64d917cb9b97b25ba6ed25c08e70db559e28e6856e636453481339cc8fcd7612b

Download Submit
memory/1688-49-0x000000001BCB0000-0x000000001BCC8000-memory.dmp

Filesize
96KB

Download
memory/1688-67-0x000000001BD80000-0x000000001BD8C000-memory.dmp

Filesize
48KB

Download
memory/1688-46-0x000000001BC90000-0x000000001BCAC000-memory.dmp

Filesize
112KB

Download
memory/1688-47-0x000000001BD30000-0x000000001BD80000-memory.dmp

Filesize
320KB

Download
memory/1688-39-0x0000000000EE0000-0x0000000001160000-memory.dmp

Filesize
2.5MB

Download
memory/1688-51-0x0000000003340000-0x000000000334E000-memory.dmp

Filesize
56KB

Download
memory/1688-53-0x000000001BCD0000-0x000000001BCE2000-memory.dmp

Filesize
72KB

Download
memory/1688-55-0x000000001BC70000-0x000000001BC7C000-memory.dmp

Filesize
48KB

Download
memory/1688-57-0x000000001BC80000-0x000000001BC8C000-memory.dmp

Filesize
48KB

Download
memory/1688-59-0x000000001BCF0000-0x000000001BD00000-memory.dmp

Filesize
64KB

Download
memory/1688-61-0x000000001CBC0000-0x000000001CC1A000-memory.dmp

Filesize
360KB

Download
memory/1688-63-0x000000001BD00000-0x000000001BD0E000-memory.dmp

Filesize
56KB

Download
memory/1688-65-0x000000001BD10000-0x000000001BD18000-memory.dmp

Filesize
32KB

Download
memory/1688-44-0x0000000003330000-0x000000000333E000-memory.dmp

Filesize
56KB

Download
memory/4556-41-0x00000220F3C70000-0x00000220F3C76000-memory.dmp

Filesize
24KB

Download
memory/4556-40-0x00000220F64E0000-0x00000220F6502000-memory.dmp

Filesize
136KB

Download
memory/4556-42-0x00000220F6E30000-0x00000220F6E52000-memory.dmp

Filesize
136KB

Download
memory/4556-34-0x00000220DA5A0000-0x00000220DA5A6000-memory.dmp

Filesize
24KB

Download
memory/4556-33-0x00000220F3010000-0x00000220F3288000-memory.dmp

Filesize
2.5MB

Download
memory/4556-32-0x00007FFE3A740000-0x00007FFE3B201000-memory.dmp

Filesize
10.8MB

Download
memory/4556-29-0x00000220DA510000-0x00000220DA52E000-memory.dmp

Filesize
120KB

Download
memory/4556-19-0x00000220D87F0000-0x00000220D89B6000-memory.dmp

Filesize
1.8MB

Download
memory/4556-16-0x00007FFE3A743000-0x00007FFE3A745000-memory.dmp

Filesize
8KB

Download
memory/4556-286-0x00007FFE3A743000-0x00007FFE3A745000-memory.dmp

Filesize
8KB

Download
memory/4556-287-0x00007FFE3A740000-0x00007FFE3B201000-memory.dmp

Filesize
10.8MB

Download