Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
168s -
max time network
142s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
11/09/2024, 15:09
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1253355272668319746/1283444163664154726/resource_hacker_setup.exe?ex=66e30405&is=66e1b285&hm=ba785873f5f2849a947c27dba4aea532ae614cad56a320c07c77acd7341395b5&
Resource
win11-20240802-en
General
-
Target
https://cdn.discordapp.com/attachments/1253355272668319746/1283444163664154726/resource_hacker_setup.exe?ex=66e30405&is=66e1b285&hm=ba785873f5f2849a947c27dba4aea532ae614cad56a320c07c77acd7341395b5&
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2788 resource_hacker_setup.exe 3300 resource_hacker_setup.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 23 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\unins000.dat resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-F6E22.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-6JP4M.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\samples\is-R5U21.tmp resource_hacker_setup.tmp File opened for modification C:\Program Files (x86)\Resource Hacker\samples\sample2.dll resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\is-3KUGF.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\samples\is-K9VCS.tmp resource_hacker_setup.tmp File opened for modification C:\Program Files (x86)\Resource Hacker\unins000.dat resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\is-CNCKA.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\is-53HOG.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-MCCPJ.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-F3KV8.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-4AO8C.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\samples\is-SDJFH.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\samples\is-0MEGC.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\samples\is-3BPOS.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\is-76OTV.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-1EP8H.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-JM97U.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-ELOGK.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-IIF8L.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-I4IFB.tmp resource_hacker_setup.tmp -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\resource_hacker_setup.exe:Zone.Identifier chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language resource_hacker_setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language resource_hacker_setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133705410354854311" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings resource_hacker_setup.tmp -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\resource_hacker_setup.exe:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4296 chrome.exe 4296 chrome.exe 2380 chrome.exe 2380 chrome.exe 2380 chrome.exe 2380 chrome.exe 3300 resource_hacker_setup.tmp 3300 resource_hacker_setup.tmp -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4296 chrome.exe 4296 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe Token: SeShutdownPrivilege 4296 chrome.exe Token: SeCreatePagefilePrivilege 4296 chrome.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 3300 resource_hacker_setup.tmp -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe 4296 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4296 wrote to memory of 1424 4296 chrome.exe 81 PID 4296 wrote to memory of 1424 4296 chrome.exe 81 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 484 4296 chrome.exe 82 PID 4296 wrote to memory of 1500 4296 chrome.exe 83 PID 4296 wrote to memory of 1500 4296 chrome.exe 83 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84 PID 4296 wrote to memory of 3264 4296 chrome.exe 84
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1253355272668319746/1283444163664154726/resource_hacker_setup.exe?ex=66e30405&is=66e1b285&hm=ba785873f5f2849a947c27dba4aea532ae614cad56a320c07c77acd7341395b5&1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa09dcc40,0x7fffa09dcc4c,0x7fffa09dcc582⤵PID:1424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1888 /prefetch:22⤵PID:484
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2060,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2136 /prefetch:32⤵PID:1500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2416 /prefetch:82⤵PID:3264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3148 /prefetch:12⤵PID:3616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4704,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4920 /prefetch:82⤵PID:536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4972,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4980 /prefetch:82⤵PID:128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4960,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5124 /prefetch:82⤵PID:240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5312,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5332 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:4888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5236,i,821813253965668128,17800077634749013248,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5400 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
-
C:\Users\Admin\Downloads\resource_hacker_setup.exe"C:\Users\Admin\Downloads\resource_hacker_setup.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Users\Admin\AppData\Local\Temp\is-J47CD.tmp\resource_hacker_setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-J47CD.tmp\resource_hacker_setup.tmp" /SL5="$A02E6,3411549,870400,C:\Users\Admin\Downloads\resource_hacker_setup.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3300 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Resource Hacker\ReadMe.txt4⤵
- System Location Discovery: System Language Discovery
PID:2724
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5eee9717c2fd4f926c23b6fbbd7174be5
SHA11596921b80753e25dacff3499a8ecd3e81e6d7c9
SHA256afe15bbaef0dd02cdefdd6b366084a838ea40e29c21173d68d28cb629cf69203
SHA512778f84fb27cba9b2283b468859e740418a2ed3aef5f087a7a554b91224f88ebe244d36ead138b8c4d8ebf00f98661dd3a60fa3681f3717e84ad9f73169942e0a
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
649B
MD53fdaa6c35a5ffe44a591f29c91541e9a
SHA1b31abfdb49924a0305258da26cb2e44ebfc9c743
SHA2562d70ac64a17eb37816beae4c3e01c743f5e7b47717bc1559493257c07480d6cd
SHA5122bbd22b2f495d456fcbfe073c164c8fa70d0e889c175156be4619b73e0f3f280d3163fc8ade9dc7ac9bc6fb300c89a8a96539987036a239121c6ecb252077813
-
Filesize
1KB
MD5e563f375538758c26fcf936626370050
SHA16f2d4387518c8e065626805e01fd469fd312557b
SHA2560ba5c7228d028f1451dffa716f3f597e6b0159a53b010b58c4681f2cd58ce4b5
SHA5128886ada300dc4a9ae5e63630aaffafb56c9e38990adc69802f81fcc65b1dda44da43d55b188cd4f1955cad45142597dcff7be6d08a4562bdaa30658e2df7160b
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD52c42cbc2fa485db0929fcbc66a4a6432
SHA1f673638f9db7b083f617f24e481c0bacb66f409b
SHA2568d4167691cd5d88edbe0c37ccb646b2a4b6d7db6c9226766f6c58e7e7ce59c88
SHA512f6e450c166abe0e96f5ffb1e7b444e6f5f1cca9a9ad62ad3281311cd2928d097ca068771e25c6bd949bc61a921a9ec3b8abf6c80688b8c95e42f9b35e0f88462
-
Filesize
9KB
MD51f2b6e9897aa541dd51e7f1391473ed5
SHA12576c310be62a619d1dd3465c1ac19ab5797537c
SHA2568de7bf63764fc72a3494195ca1667dcb190aea8bfa4e93afad87ef2abfe269ef
SHA51237cf455fa1857ca9e1ceb6d36a4f5004510ab2d3a2cc640e0663787ab30e2ba0d0b5027c0514ae31cbcf9b8e0feb5ef1d2e5a689e614ec12fe5d3ec0d2b305f1
-
Filesize
9KB
MD56e8fa3c1cbaacd69e2b6e7ac32ca679d
SHA10cd1434c8ab5a45b26819c652e982eab8e497704
SHA256bbc66e170aaa0ac7e0691fd334b2c098024ed8e623f06b68fa4f7970b8ddbb53
SHA5122c974c25f2905856d4204a03fc1bce1706dd8d5afa0c772ba6b36346dfecb80edfe7fec0609218ef78fd341d1a1d1635640b1ef9794b5916c561e4780bc817ef
-
Filesize
9KB
MD5b9c3a8eb4adf600aa682e9963821e2bf
SHA192676f0471d0db5048f70bfc4cd0ed0d9e85f484
SHA256cb86fc885eeacea5dbd7bd9fe2d4e59f383cb0b24e4f6a62d0ce6a1fb60e6bab
SHA5129e9c24b027f435e2b722ad8eb34060c83550406d3516b406d51df7ca40c05a0c4c4cedc7035de846e2e2ef0cb52a4ca864932eff0b7d9ffb2b5c1a7c0f21ba1a
-
Filesize
9KB
MD54a08d7492a221d9bbfbe98a47e355c7c
SHA1672a810037ae90c6fb48e1a960d8639c362b4f46
SHA256ad92d2a6b9fa2f4396a6b22de6acbab7256960e0b129d6fc455c8231ee8a54d1
SHA5122f6b065bfa3b612ed8de5f8ee3668c7b4c2d60178802aad5c82f6d14ab59d12d9bcab637645c93e2a7e5b4baf461635b75f3f69c2da59eb07ea9cca427f787e8
-
Filesize
9KB
MD517eee1d873e6a9327309d32503cd1f8f
SHA10f5f82f1e00477f435768eac2dac41f3f63a5c3b
SHA256ce9c3dff45c0d837a1950d7c69f5d6bbf64ed289ee6e13597bdd7c6cfc20e3f8
SHA51260afb15bf2d70feef52233866d638e158c75fe045108c575d64d2e1c19d7223b2acca30ba1408168614389593168be7bbb233a6c22847cfc1266c359c14fd921
-
Filesize
9KB
MD520cf5837478bc23140e63627d634954b
SHA1c67663a7aa2996f5a0207a9ea291b371b2ce1338
SHA256cffd4d6ddf451916b526883caa86bfa238dd16a368ec1e9f6eacb128e8bdbde3
SHA5124b2ce3b5e85023402f734976402e92e39dcb76c4c704b87dea1a6f0a75dc1b9314f21b72d5650a58ff6d52ea6fd22065c911a0ffb937d1c729d25e8e378f4d7f
-
Filesize
9KB
MD52d179763e9a653e01a20b2ed0736bcee
SHA14374ab1050fdbdca605c38c3d76bcf65c102d6c8
SHA256460172e2a9b2e6943ada357064f7e4e89bc525b95de1df0e9d0288e0d7577060
SHA512e1328dc991b8402752c3cba81019c94933d6e250f664c66fc58a4ae5a9e549a861f3eacfd967937877e59e8736463aef907589e1fa3e88764c0ad0fcbd62ddf6
-
Filesize
99KB
MD574cf1ef586869aed5a50ea4b7771c2ad
SHA11c402f79cbaa12c71ec94b466bc0da1e116a4d52
SHA2567e990fcf037de2b0749bb98564a7d7d5c6cb1860a161fbb0134846db1859f744
SHA512ecfadbbb129e6c690082b2a9bd9cdf52ad4a7dcbebda86a806828ddc62b4f79dda8b427db81214fc2dc6f23d8d3c0e89046993e3e702c07d0c5188b9187572a2
-
Filesize
99KB
MD59b823c11fa01a1d2f9d7b8e351f9e396
SHA1ecdc5c1f57ebf5460c3e300399cff21a9be01176
SHA2562f5e74d59cea1363015c38dff880bd15d729eb1e88f4bd325096807c33f32988
SHA5125af900d5ebd2f8fae64a6e280ddb8886595fc13e8bacf88e3ae2a8aba9f648d66ee66d716665ada1a91b913d2092fc908b3ab4e2d33f5fb6d34b97bf0b03c916
-
Filesize
2.5MB
MD53baaf568aa5142e9eeed4ec6cdd764b7
SHA1089ec2257a57c0f2ee913a94e61c1c8272de6290
SHA256153efbe85cecec3149664254a856440fbb6a3c8f3f287a97f373b3353e816268
SHA5124a30732ea3c5a2e8529eab69761a25862c87935fc3842b48d515901669725ff070527ccd61dd602dfced94cd504b7ff2861f43ffba1ead6569b8b26544845287
-
Filesize
4.0MB
MD5e846ef7353af351ad4a6e1d49638b500
SHA1c08392c797fcea5147b3f0d7e07f57eedc323911
SHA256080e97f7c198aeeac2a172f055c09d8da365b59b58bf6a71bde4486d9992ff66
SHA512e73bd521a157af4388b7c0d3bff5b34a4a547b8083137a4b48d0c232562d5932c7bb89b6700778246b895d7b9d1ba59050f3a631dfd436f64b5ff9ecf7934ec5
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98