Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
114s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
11/09/2024, 15:21
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1253355272668319746/1283444163664154726/resource_hacker_setup.exe?ex=66e30405&is=66e1b285&hm=ba785873f5f2849a947c27dba4aea532ae614cad56a320c07c77acd7341395b5&
Resource
win11-20240802-en
General
-
Target
https://cdn.discordapp.com/attachments/1253355272668319746/1283444163664154726/resource_hacker_setup.exe?ex=66e30405&is=66e1b285&hm=ba785873f5f2849a947c27dba4aea532ae614cad56a320c07c77acd7341395b5&
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 3736 resource_hacker_setup.exe 2316 resource_hacker_setup.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 23 IoCs
description ioc Process File created C:\Program Files (x86)\Resource Hacker\samples\is-N8OOJ.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\is-CTT8T.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\is-O3BL7.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\is-K2I2E.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-7H67B.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-3JCJE.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-GQUJ4.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\samples\is-EGSO5.tmp resource_hacker_setup.tmp File opened for modification C:\Program Files (x86)\Resource Hacker\unins000.dat resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\samples\is-L05U1.tmp resource_hacker_setup.tmp File opened for modification C:\Program Files (x86)\Resource Hacker\ResourceHacker.exe resource_hacker_setup.tmp File opened for modification C:\Program Files (x86)\Resource Hacker\samples\sample2.dll resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\unins000.dat resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\is-SMKU2.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-02G6M.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-0QR1S.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\samples\is-DARUH.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-LNLHL.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-T27RU.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-US1GJ.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-CKTSO.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\help\is-CLQPE.tmp resource_hacker_setup.tmp File created C:\Program Files (x86)\Resource Hacker\samples\is-25NFN.tmp resource_hacker_setup.tmp -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\resource_hacker_setup.exe:Zone.Identifier chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language resource_hacker_setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language resource_hacker_setup.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NOTEPAD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133705418234105037" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings resource_hacker_setup.tmp -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\resource_hacker_setup.exe:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2616 chrome.exe 2616 chrome.exe 2316 resource_hacker_setup.tmp 2316 resource_hacker_setup.tmp 2616 chrome.exe 2616 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 2616 chrome.exe 2616 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe Token: SeShutdownPrivilege 2616 chrome.exe Token: SeCreatePagefilePrivilege 2616 chrome.exe -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2316 resource_hacker_setup.tmp -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe 2616 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2616 wrote to memory of 3304 2616 chrome.exe 80 PID 2616 wrote to memory of 3304 2616 chrome.exe 80 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 844 2616 chrome.exe 82 PID 2616 wrote to memory of 1928 2616 chrome.exe 83 PID 2616 wrote to memory of 1928 2616 chrome.exe 83 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84 PID 2616 wrote to memory of 4828 2616 chrome.exe 84
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1253355272668319746/1283444163664154726/resource_hacker_setup.exe?ex=66e30405&is=66e1b285&hm=ba785873f5f2849a947c27dba4aea532ae614cad56a320c07c77acd7341395b5&1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0d9fcc40,0x7ffd0d9fcc4c,0x7ffd0d9fcc582⤵PID:3304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1824,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1820 /prefetch:22⤵PID:844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1380,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2104 /prefetch:32⤵PID:1928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2352 /prefetch:82⤵PID:4828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3088 /prefetch:12⤵PID:1352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:3340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4688,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4836 /prefetch:82⤵PID:1916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4804,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4976 /prefetch:82⤵PID:4148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5184,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5144 /prefetch:82⤵PID:3024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4320,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5112 /prefetch:82⤵PID:1624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5280,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4660 /prefetch:82⤵PID:3680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5216,i,3599799819782438989,16700747695373727880,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5256 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:2088
-
-
C:\Users\Admin\Downloads\resource_hacker_setup.exe"C:\Users\Admin\Downloads\resource_hacker_setup.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\is-ICP7O.tmp\resource_hacker_setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-ICP7O.tmp\resource_hacker_setup.tmp" /SL5="$A0262,3411549,870400,C:\Users\Admin\Downloads\resource_hacker_setup.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2316 -
C:\Windows\SysWOW64\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\Resource Hacker\ReadMe.txt4⤵
- System Location Discovery: System Language Discovery
PID:724
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:1628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5eee9717c2fd4f926c23b6fbbd7174be5
SHA11596921b80753e25dacff3499a8ecd3e81e6d7c9
SHA256afe15bbaef0dd02cdefdd6b366084a838ea40e29c21173d68d28cb629cf69203
SHA512778f84fb27cba9b2283b468859e740418a2ed3aef5f087a7a554b91224f88ebe244d36ead138b8c4d8ebf00f98661dd3a60fa3681f3717e84ad9f73169942e0a
-
Filesize
649B
MD57bac412f6b1b9493d4a7b20f389cabb3
SHA1438041c7c4263dc4897119bb5bd7f60e7cb25f33
SHA2562408cee6f03681fca451ca330126388cabe1ca93333561ae3993ad1efd60d817
SHA51264bca4f835eebf9fa6ba6a65e0717d90e15144a0e02dc89ffbb25caa3cd46a98b3a0543b4b94e82546d4bb17571bb285a93d1ea55a765bd643a4ee4c0ca5e323
-
Filesize
1KB
MD57e9fe9d8884623a4d0c26b62c099d35f
SHA1d0581ea56ad070ed067d0d2e0e0ad8aeb53d4311
SHA25690c74823d6d1bda58675bd5fc32871e46e91b8ef08b4ff71ca335c8b013aa240
SHA5129127c92806460c33a1ca5755d7318f49fa42be6edac43d04af2d19b15b40d29c04e8056f66f782ddb7ce7dbd7869c36389d6044b30c3183725362cb0edb3e742
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD5fb0a7025e342126465931a139fb58cb9
SHA19d578897379092d8a32ce13ab251c5c3f8fd557b
SHA256ae2071f1ddf9f47241ab80c986531819a073bef8e1fc72be9cd39e833fc5654b
SHA5121b745b3dd83e5bd7e8a8081f2ee35fcbaaf48491838bcdcac13a4eeeec2d4b9f68d65657e34499b7455894ce7e618feca8806c62acf6c740b278df02df0b63fa
-
Filesize
9KB
MD516800afe649d28ac746a3a8f9390fa9b
SHA1647a37ef5ae48f7131339dc9f58d2b2a1187e6dc
SHA2562bb902a384c0f1093e954c39043241bf859a79cb9a43d9f3275640b712176f7c
SHA512dd3b793f604959a436a40088faf704e2efbe79fd57c72aa1ae3211f993e48e9e9a6a9cc221593a2d9484fefc32c17d62e386c4bd7a063098d6ff667c6be88912
-
Filesize
9KB
MD5c7908480d87ebd32ca0acc246b2ac804
SHA1fa103aef7ecb2d613c2f09603788f58d3dd23a5d
SHA256eb610d8c86253e7f0c044cc96142c1980e55e6bb3ce04464b5445410fac1205c
SHA5120c5f3d25e213c5f3c5b96736c2b824b9714a65fa2b96aaebf2c9ac0549acfc622ea72ee54a741494c957b19fe6d0e085e8bf6b26701ba46ec1668b97c64d7b48
-
Filesize
9KB
MD595639a0a38c918aaeb05274c55b55d85
SHA140c790838b4389cd6d6ed71060329424f090633e
SHA256533be08690d6d6677a13428a4555e2f879403e5e7fe13d28249a2818cc985392
SHA512c31ef91f2a5e4e764b98ecdfa327449f6784675d80bc0cc4db8e1972eabd9167885f776b4ec0bd7ac788c33fca8bf56d435b38a17e04c7ea762ebb01ad5e88fc
-
Filesize
9KB
MD50ac181093a27095e34c6045844fa4771
SHA171bc820c3028ae076513402f275edd27f6759e37
SHA2560857f962f7d8615ea56ebd843b6903ddb2808abab56067bbbaac989cf4e83e60
SHA512233e280db5bc12c68c27329b04a2d2951170b3f865ac3058c037fe0b92ff012c9e802136f4faf6e6226d9c44a844083bf9e86909b7e5f4ddfe55576d7b7f48c4
-
Filesize
9KB
MD531cb28272bf99f2359491253aafe6108
SHA121c48085761fbf69e0c36b595d22a19774b8f112
SHA25692d83e9422a57e2791aab75e366812bc7e95cac197c7e8a79571796b30886a34
SHA5123d12d6e5d389330fa3674908b73d2a68e23d41a07631fd1aefb64d518458eba3c08199697fb91f2e55a3f2cecce1dce5ff669d8d0e706709b16f4801ff5f391d
-
Filesize
9KB
MD5d43a7ee7b7012c8fddee817fc5f0b191
SHA1dc4a1531939b9d7ac731061dc3d7cff16ab252b2
SHA25655eef005cb08e7759ba11459eb67f8b4aac0156f8904ac0b0d5cb3a9e333dcad
SHA5124edfddf32909bf0f89d62276112d31b5f5b75010705ba73f8ee17bbaf52576a8ffada34b00eddd6671af00572d6df298bb24211f329d66bff8ce85b0560deb90
-
Filesize
126KB
MD51c2fed9358589ab312d0a09c7f2c217d
SHA1e706cc05348bb4054f7f4b6d1601bb9b074166f2
SHA2563bd854a2d57a69015d38794905978913a978646fbabd571510876b62172e533b
SHA5120d0bb5055b7512bfe2fb7b82db852d0b20afe2a0fc9d52da2d974dff00c81bf5a92e861b65b8db1bb1fb6e17d09f004766aedc4b7ef1e24b8c43f241e5cc0363
-
Filesize
101KB
MD5f2c74c69676f4ecefbfe945fc373c266
SHA13086ca5961c784acc256dc0ed6aae3b912b5a2bb
SHA256a232f4afcb5f723f08c09f133b4d79eb423719ebe07b929ea54caa80970ea0b1
SHA512a9ba1c438a95cd9be15b0ac14ab98eec042c6c5eebb5d085ef01890f28d2d0cd093d6c0ee4801a7d9e2d781376e4f2ce083d8814d6b811d00a9522b967e5ae1c
-
Filesize
101KB
MD529b9b2aa4362d2ed40724b0ef780d355
SHA19137724d9cdf2ebf481a47f02e0e03d1b759f1a9
SHA256226ec2b857eec7d706de814fea408a1c6e5ca24d8c3dc227d7c318059160d8a0
SHA5127c2e9e530663404e7fb4e30dbe024a784bdda4e16840e428ed80084d579ce8eaa21bd6633785a9b47ef4e3a4e81add67b1074d744c27c2ae77eae177a7733fb7
-
Filesize
101KB
MD5efb28ae84c4d7241e4d8e6b07f6cade6
SHA1a182208bab9d005353c63e0785ed6c67ea7051ce
SHA256abfdba3c99074aabe5d052dabb0bb277ec7d9e5d32ec2b64aa77237c415d7cfd
SHA5125544f8286c1d4ef87f46849f3057e4a8f524664bb7a9e6a2cdde10fee6e25fedc0b3243df8dccbcbdb4a57b31c618526e4ab19fd7f3101bd60c430963663178a
-
Filesize
101KB
MD5d07d177ce7c93185cc561bb4bc7ce208
SHA146a35ee7f72a74a9c9d4a9e4be5f93a6001b4d5d
SHA25622c1784227c96788c8367795c6d2cfd1debcb232b1702779823dc0f2b97dc313
SHA5129f645bff100425f380c4a4078426c60a587f7594a32fe4ef38f6a580929de5fba861a3ba1ad35121e8528d4af9c1779ac63d6b44cd14781973c8ad4b0407f226
-
Filesize
2.5MB
MD53baaf568aa5142e9eeed4ec6cdd764b7
SHA1089ec2257a57c0f2ee913a94e61c1c8272de6290
SHA256153efbe85cecec3149664254a856440fbb6a3c8f3f287a97f373b3353e816268
SHA5124a30732ea3c5a2e8529eab69761a25862c87935fc3842b48d515901669725ff070527ccd61dd602dfced94cd504b7ff2861f43ffba1ead6569b8b26544845287
-
Filesize
4.0MB
MD5e846ef7353af351ad4a6e1d49638b500
SHA1c08392c797fcea5147b3f0d7e07f57eedc323911
SHA256080e97f7c198aeeac2a172f055c09d8da365b59b58bf6a71bde4486d9992ff66
SHA512e73bd521a157af4388b7c0d3bff5b34a4a547b8083137a4b48d0c232562d5932c7bb89b6700778246b895d7b9d1ba59050f3a631dfd436f64b5ff9ecf7934ec5
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98