5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902

Analysis

max time kernel
280s
max time network
320s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
13-03-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902.exe
Size

29.1MB
MD5

455d09c663437e9285eb22658461db67
SHA1

37766a5bf553b3dab762f63f978330f4b04461d8
SHA256

5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902
SHA512

98c2c88076e7266a1ec7a01de8fd68056e2a888115bc362070d91a68ca86b993c2e243dc8b1fd5581e14c4f05755a3283f1648a7cce784a00eace27fe9fa27b8
SSDEEP

786432:HTEV13T27T8+ZNlwpBdwijPifBagbhiz/XfdXLWXMmFRoMqF1xJ:HTEV13n4NgdwiInFe/xWXMISL

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2420	autorun.exe
2072	windows10manager.exe
2520	windows10manager.exe

Loads dropped DLL 9 IoCs

pid	Process
2756	5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902.exe
2420	autorun.exe
2420	autorun.exe
3008	MsiExec.exe
3008	MsiExec.exe
2072	windows10manager.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	928	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	windows10manager.exe
File opened (read-only)	\??\V:	windows10manager.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	windows10manager.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	windows10manager.exe
File opened (read-only)	\??\K:	windows10manager.exe
File opened (read-only)	\??\M:	windows10manager.exe
File opened (read-only)	\??\P:	windows10manager.exe
File opened (read-only)	\??\Q:	windows10manager.exe
File opened (read-only)	\??\J:	windows10manager.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	windows10manager.exe
File opened (read-only)	\??\I:	windows10manager.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	windows10manager.exe
File opened (read-only)	\??\W:	windows10manager.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	windows10manager.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	windows10manager.exe
File opened (read-only)	\??\R:	windows10manager.exe
File opened (read-only)	\??\X:	windows10manager.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	windows10manager.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	windows10manager.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	windows10manager.exe
File opened (read-only)	\??\U:	windows10manager.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	windows10manager.exe
File opened (read-only)	\??\Z:	windows10manager.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f79906d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f79906d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB681.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB76C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB819.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
1780	taskkill.exe
1544	taskkill.exe
3068	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	windows10manager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	windows10manager.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2420	autorun.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2676	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2676	AUDIODG.EXE
Token: 33	2676	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2676	AUDIODG.EXE
Token: SeRestorePrivilege	928	msiexec.exe
Token: SeTakeOwnershipPrivilege	928	msiexec.exe
Token: SeSecurityPrivilege	928	msiexec.exe
Token: SeCreateTokenPrivilege	2072	windows10manager.exe
Token: SeAssignPrimaryTokenPrivilege	2072	windows10manager.exe
Token: SeLockMemoryPrivilege	2072	windows10manager.exe
Token: SeIncreaseQuotaPrivilege	2072	windows10manager.exe
Token: SeMachineAccountPrivilege	2072	windows10manager.exe
Token: SeTcbPrivilege	2072	windows10manager.exe
Token: SeSecurityPrivilege	2072	windows10manager.exe
Token: SeTakeOwnershipPrivilege	2072	windows10manager.exe
Token: SeLoadDriverPrivilege	2072	windows10manager.exe
Token: SeSystemProfilePrivilege	2072	windows10manager.exe
Token: SeSystemtimePrivilege	2072	windows10manager.exe
Token: SeProfSingleProcessPrivilege	2072	windows10manager.exe
Token: SeIncBasePriorityPrivilege	2072	windows10manager.exe
Token: SeCreatePagefilePrivilege	2072	windows10manager.exe
Token: SeCreatePermanentPrivilege	2072	windows10manager.exe
Token: SeBackupPrivilege	2072	windows10manager.exe
Token: SeRestorePrivilege	2072	windows10manager.exe
Token: SeShutdownPrivilege	2072	windows10manager.exe
Token: SeDebugPrivilege	2072	windows10manager.exe
Token: SeAuditPrivilege	2072	windows10manager.exe
Token: SeSystemEnvironmentPrivilege	2072	windows10manager.exe
Token: SeChangeNotifyPrivilege	2072	windows10manager.exe
Token: SeRemoteShutdownPrivilege	2072	windows10manager.exe
Token: SeUndockPrivilege	2072	windows10manager.exe
Token: SeSyncAgentPrivilege	2072	windows10manager.exe
Token: SeEnableDelegationPrivilege	2072	windows10manager.exe
Token: SeManageVolumePrivilege	2072	windows10manager.exe
Token: SeImpersonatePrivilege	2072	windows10manager.exe
Token: SeCreateGlobalPrivilege	2072	windows10manager.exe
Token: SeCreateTokenPrivilege	2072	windows10manager.exe
Token: SeAssignPrimaryTokenPrivilege	2072	windows10manager.exe
Token: SeLockMemoryPrivilege	2072	windows10manager.exe
Token: SeIncreaseQuotaPrivilege	2072	windows10manager.exe
Token: SeMachineAccountPrivilege	2072	windows10manager.exe
Token: SeTcbPrivilege	2072	windows10manager.exe
Token: SeSecurityPrivilege	2072	windows10manager.exe
Token: SeTakeOwnershipPrivilege	2072	windows10manager.exe
Token: SeLoadDriverPrivilege	2072	windows10manager.exe
Token: SeSystemProfilePrivilege	2072	windows10manager.exe
Token: SeSystemtimePrivilege	2072	windows10manager.exe
Token: SeProfSingleProcessPrivilege	2072	windows10manager.exe
Token: SeIncBasePriorityPrivilege	2072	windows10manager.exe
Token: SeCreatePagefilePrivilege	2072	windows10manager.exe
Token: SeCreatePermanentPrivilege	2072	windows10manager.exe
Token: SeBackupPrivilege	2072	windows10manager.exe
Token: SeRestorePrivilege	2072	windows10manager.exe
Token: SeShutdownPrivilege	2072	windows10manager.exe
Token: SeDebugPrivilege	2072	windows10manager.exe
Token: SeAuditPrivilege	2072	windows10manager.exe
Token: SeSystemEnvironmentPrivilege	2072	windows10manager.exe
Token: SeChangeNotifyPrivilege	2072	windows10manager.exe
Token: SeRemoteShutdownPrivilege	2072	windows10manager.exe
Token: SeUndockPrivilege	2072	windows10manager.exe
Token: SeSyncAgentPrivilege	2072	windows10manager.exe
Token: SeEnableDelegationPrivilege	2072	windows10manager.exe
Token: SeManageVolumePrivilege	2072	windows10manager.exe
Token: SeImpersonatePrivilege	2072	windows10manager.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2072	windows10manager.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2756	5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902.exe
2420	autorun.exe
2420	autorun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2420	2756	5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902.exe	28
PID 2756 wrote to memory of 2420	2756	5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902.exe	28
PID 2756 wrote to memory of 2420	2756	5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902.exe	28
PID 2756 wrote to memory of 2420	2756	5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902.exe	28
PID 2756 wrote to memory of 2420	2756	5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902.exe	28
PID 2756 wrote to memory of 2420	2756	5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902.exe	28
PID 2756 wrote to memory of 2420	2756	5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902.exe	28
PID 2420 wrote to memory of 2072	2420	autorun.exe	30
PID 2420 wrote to memory of 2072	2420	autorun.exe	30
PID 2420 wrote to memory of 2072	2420	autorun.exe	30
PID 2420 wrote to memory of 2072	2420	autorun.exe	30
PID 2420 wrote to memory of 2072	2420	autorun.exe	30
PID 2420 wrote to memory of 2072	2420	autorun.exe	30
PID 2420 wrote to memory of 2072	2420	autorun.exe	30
PID 928 wrote to memory of 3008	928	msiexec.exe	32
PID 928 wrote to memory of 3008	928	msiexec.exe	32
PID 928 wrote to memory of 3008	928	msiexec.exe	32
PID 928 wrote to memory of 3008	928	msiexec.exe	32
PID 928 wrote to memory of 3008	928	msiexec.exe	32
PID 928 wrote to memory of 3008	928	msiexec.exe	32
PID 928 wrote to memory of 3008	928	msiexec.exe	32
PID 2072 wrote to memory of 2520	2072	windows10manager.exe	33
PID 2072 wrote to memory of 2520	2072	windows10manager.exe	33
PID 2072 wrote to memory of 2520	2072	windows10manager.exe	33
PID 2072 wrote to memory of 2520	2072	windows10manager.exe	33
PID 2072 wrote to memory of 2520	2072	windows10manager.exe	33
PID 2072 wrote to memory of 2520	2072	windows10manager.exe	33
PID 2072 wrote to memory of 2520	2072	windows10manager.exe	33
PID 2520 wrote to memory of 1992	2520	windows10manager.exe	34
PID 2520 wrote to memory of 1992	2520	windows10manager.exe	34
PID 2520 wrote to memory of 1992	2520	windows10manager.exe	34
PID 2520 wrote to memory of 1992	2520	windows10manager.exe	34
PID 2520 wrote to memory of 1992	2520	windows10manager.exe	34
PID 2520 wrote to memory of 1992	2520	windows10manager.exe	34
PID 2520 wrote to memory of 1992	2520	windows10manager.exe	34
PID 928 wrote to memory of 1292	928	msiexec.exe	35
PID 928 wrote to memory of 1292	928	msiexec.exe	35
PID 928 wrote to memory of 1292	928	msiexec.exe	35
PID 928 wrote to memory of 1292	928	msiexec.exe	35
PID 928 wrote to memory of 1292	928	msiexec.exe	35
PID 928 wrote to memory of 1292	928	msiexec.exe	35
PID 928 wrote to memory of 1292	928	msiexec.exe	35
PID 2420 wrote to memory of 1344	2420	autorun.exe	36
PID 2420 wrote to memory of 1344	2420	autorun.exe	36
PID 2420 wrote to memory of 1344	2420	autorun.exe	36
PID 2420 wrote to memory of 1344	2420	autorun.exe	36
PID 2420 wrote to memory of 1344	2420	autorun.exe	36
PID 2420 wrote to memory of 1344	2420	autorun.exe	36
PID 2420 wrote to memory of 1344	2420	autorun.exe	36
PID 1344 wrote to memory of 3068	1344	cmd.exe	38
PID 1344 wrote to memory of 3068	1344	cmd.exe	38
PID 1344 wrote to memory of 3068	1344	cmd.exe	38
PID 1344 wrote to memory of 3068	1344	cmd.exe	38
PID 1344 wrote to memory of 3068	1344	cmd.exe	38
PID 1344 wrote to memory of 3068	1344	cmd.exe	38
PID 1344 wrote to memory of 3068	1344	cmd.exe	38
PID 2420 wrote to memory of 1948	2420	autorun.exe	40
PID 2420 wrote to memory of 1948	2420	autorun.exe	40
PID 2420 wrote to memory of 1948	2420	autorun.exe	40
PID 2420 wrote to memory of 1948	2420	autorun.exe	40
PID 2420 wrote to memory of 1948	2420	autorun.exe	40
PID 2420 wrote to memory of 1948	2420	autorun.exe	40
PID 2420 wrote to memory of 1948	2420	autorun.exe	40
PID 1948 wrote to memory of 1780	1948	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902.exe
"C:\Users\Admin\AppData\Local\Temp\5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe" "SFXSOURCE:C:\Users\Admin\AppData\Local\Temp\5981da840de1f11435516fbee1f1d84f30ae0452285e5080a306b65fe3f39902.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\windows10manager.exe
    AutoPlay\Docs\windows10manager.exe /passive /quiet /NORESTART
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Modifies system certificate store
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\windows10manager.exe
      C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\windows10manager.exe /i C:\Users\Admin\AppData\Local\Temp\{CFF51D90-CB0F-4DC3-BDDC-CA12D3CEC8A9}\Windows10ManagerSetup.x64.msi /passive /quiet /NORESTART AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\windows10manager.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\ "EXE_CMD_LINE=/exenoupdates /forcecleanup /wintime 1710098665 /passive /quiet /NORESTART " CLIENTPROCESSID=2072 CHAINERUIPROCESSID=2072Chainer AI_UNINSTALLER=msiexec.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\{CFF51D90-CB0F-4DC3-BDDC-CA12D3CEC8A9}\Windows10ManagerSetup.x64.msi /passive /quiet /NORESTART AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\windows10manager.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1710098665 /passive /quiet /NORESTART " CLIENTPROCESSID=2072 CHAINERUIPROCESSID=2072Chainer AI_UNINSTALLER=msiexec.exe
        5⤵
        Enumerates connected drives
        
        PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Windows10Manager1.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /t /im "Windows10Manager.exe"
      4⤵
      Kills process with taskkill
      PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Windows10Manager2.cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /t /im "Windows10Manager.exe"
      4⤵
      Kills process with taskkill
      PID:1780
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Windows10Manager1.cmd
    3⤵
    PID:112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /f /t /im "Windows10Manager.exe"
      4⤵
      Kills process with taskkill
      PID:1544

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x25c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B67D5FC043D0161733E9B1053CE1270F C
  2⤵
  - Loads dropped DLL
  PID:3008
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 862E3F81A0A96E6317AD2737030B4DDC
  2⤵
  - Loads dropped DLL
  PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6525274CBC2077D43D7D17A33C868C4F

Filesize
959B

MD5
d5e98140c51869fc462c8975620faa78

SHA1
07e032e020b72c3f192f0628a2593a19a70f069e

SHA256
5c58468d55f58e497e743982d2b50010b6d165374acf83a7d4a32db768c4408e

SHA512
9bd164cc4b9ef07386762d3775c6d9528b82d4a9dc508c3040104b8d41cfec52eb0b7e6f8dc47c5021ce2fe3ca542c4ae2b54fd02d76b0eabd9724484621a105

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6525274CBC2077D43D7D17A33C868C4F

Filesize
192B

MD5
f86d57fa0ce9009037573eedc3f2b2f0

SHA1
878872e69b3a7aa2e3706717c16c801e089f605d

SHA256
c086deff9240e47a9787444997ef67e0b713fbdeea2e652b3c14730774470ebf

SHA512
167eaa3696b69ebbd0eb8cb5e21386a54f20f08813aa9c84bf3cbfac2a9adae462af66ed704f23f6b32b511c7461800beca179baf00bd1b9599c3b942ebd1670

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ca2560a10d72d995cf38ea25dd5b356

SHA1
3eb2ca0e79eefec49b327d2d656d0d6092ca273b

SHA256
747c8e6f9e86f0c0abfbb3b2ac2a5a828c76da248c48ec35fdb0760ff039130a

SHA512
52049c298d6822efda97638a26a59142164a644a84866744fa389ed989c8acc24a6989d3a57279b55db2062ae3b817ce641985f13f3f3e65014a506dbbef2025

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7FDC.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8CDD.tmp

Filesize
391KB

MD5
a32decee57c661563b038d4f324e2b42

SHA1
3f381a7e31f450a40c8c2cf2c40c36a61fb7a4c2

SHA256
fcf24b9b574ed026d3f68b7b70aa6533806ba7fc566c476ccb62e6493ac28f04

SHA512
e17c125adad4702c9a30639858e22a2f0dc4f2926fca89758d544c62fe1fb95360dabd5bd2de2f62a607158bd9ef108c60d8cb5ce709c634668ee509988214f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8DF7.tmp

Filesize
864KB

MD5
4e2e67fc241ab6e440ad2789f705fc69

SHA1
bda5f46c1f51656d3cbad481fa2c76a553f03aba

SHA256
98f4ebaa6ea1083e98ea0dd5c74c2cb22b1375c55b6a12cfdc5d877f716de392

SHA512
452df66dd2b09485bf92d92b72b3ad2638cbf0a570741b80309056d1e67e68a18cbd0ad3616a2943bb29de62a057848a7382b6c64c3821335a51b0a03131564c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar84EE.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar85FD.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\Windows10Manager2.cmd

Filesize
58B

MD5
42f738fabb7c44915d18e7d1fe1c21ef

SHA1
2350808774ab656a5959010a93bd993d07c1f070

SHA256
4063215c91499a85e5f98929ff0c50496e4a8454b4849de6f32b7dac25088cdc

SHA512
0cf0a832a9656438b8414c20e9263a314b5573c5f67e5d2c689dee43cda2478f5b80572d1819f564637218883f487ca69df67a67d924b2a81f92ea8b97e0f3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\windows10manager.exe

Filesize
7.1MB

MD5
fba584f6bbcd9a20874a1d216364b805

SHA1
57146208f9068461472ddb416d60e87b9d5c2c93

SHA256
34c358c9680da0d920973a34f54750ffb84fc8035d8e5afbe59e363fca3ef509

SHA512
73805d3e4f21629611be1be1efc57a604df3c5409680a66f3349bf50d06b4bdefba9425834536239e36c7186792f7e9f062ecb6d225783153491f90cc8310325

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\windows10manager.exe

Filesize
8.4MB

MD5
285502f1650f0577052184d609de69a0

SHA1
ec20bb825aa052f4e436b1088a285804da78ca39

SHA256
0345b837ecfa19e346bcbccff0b881ee17fbf908b791bf42bb97885e621a85cd

SHA512
74ec6ee952c8338c53dfa417f610a31b02a0b5d87ab29a768b6ef3d17e0bd0cadfd9434a8dcead0aae08229bdff37f8f42ca58fadb193b00bd97a375b38c74c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\windows10manager.exe

Filesize
9.0MB

MD5
4cff2f2d3a4010ec4d3853cc142621ff

SHA1
8b7ad204e9a178bc78048c2e6513d704509a9d07

SHA256
69b9350da714e93103b6743f0c266d4c2da858253feec2d5affcd3d37f632937

SHA512
d7c4837030eeb4e221ce5d29007376dd4b448511c53ac4699f6a6d93dcf67ed8a4e290f905bfa987b00c618f1a9eedd5ecef4de1290a0be68e7cd1d814ef852b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Icons\0000.ico

Filesize
297KB

MD5
425409f3222640165930694ea8cf99d0

SHA1
87597af4ef7cb9d84c1734d369013d11f067309d

SHA256
ab45146643bcf85787d90e0b5e2cc02bc1ddeefb3a0b1da2439b7437c51b2d5f

SHA512
7ef75e5bb20023db24b58fff7980fcb85796c7a1d0e125f76bdbeda6516861c9fe4d9bc2aaea1f1d5492e7f9ec0d34a709e421e47996a7ddc084a9966561dfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\autorun.cdd

Filesize
13KB

MD5
a1bb7be9c4438b14689a856c77374e8a

SHA1
491c7c3288c59da8985151f9135dccf6f32e5e27

SHA256
923a970d178ca244d8fb69559fc2e2b0b255d19d1ef2f62cd8fb90c581a8a663

SHA512
d01d28a780b8c3647b617e7d06a6562cea733dd21a7088dfd9aa0482eee82f9d1aaf3879a27c7320d58a2a1c75a4b0585f25368faadfb08f2de775c465367c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
4.4MB

MD5
0f626b3ea3c5d7fc02f643371c405614

SHA1
c8b89a6eb073e20c55479ace91a0cab94460a02b

SHA256
50639f1ad43f880601a36d1df938f042aed1386f02a2f572426b1cdda6c5b1a4

SHA512
0d84914f74f38818ee43820ac5f953bd559d5483af97055f4a52070c9cd4cd0ea9186e72176335a6a6854271e807281d9ab829db1e9cab9674de14b3288381f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
4.6MB

MD5
1c140df38eb4bd7f9a3b88e98f34a9af

SHA1
b5c6288be22fb070787b916680174a6159fd4780

SHA256
2dce1f3737e1a0ab67b1549a91e6f84b9f10be5f2341d8f092e9b9ca81db0879

SHA512
c037fd38635db32a2293c0f978f7d265359afb8e7dcd1eb8b02a22851873f7153b4356679a30f6eeabb238435e49525de8fe3d25e7f802dfdd2330a488cf57e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
384KB

MD5
a959ecb45147dc3fa3b2825d5d832a5c

SHA1
0174b52d4518bcf12437d2a7fde4ba64c3a4e89e

SHA256
484abaa09f7c6147b6e73b3f4710f9c957259f3ae17d8ee294c98602b9e28bd7

SHA512
1a3c56706278c53492949095fcff09a08d5136be85889378d6f0c381933b998e853d8974f38f73252cff332daac4ce240bae36e1df4cb696d8aba6aae0f3ba6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

Filesize
64KB

MD5
f00959d3088f4e2a437a1f5f7081aa96

SHA1
76a218cb8f63c2ec327939a842af8fa9102d73d1

SHA256
1b295f1c7f54baaf88f65520ca0d0eef2eed8aa3b3cb88565519a0e0aaf40ca9

SHA512
c3f7caf5a04ada391da79df3693a72c347d1b62c55db8dd653edbd54c69f89647afb943df0b607ba1e66f01cc2c3c1d3c2876bb64820e2e10766b70a04505fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CFF51D90-CB0F-4DC3-BDDC-CA12D3CEC8A9}\Windows10ManagerSetup.x64.msi

Filesize
4.3MB

MD5
48b8c2404ac4cf609ba1468e343a73cf

SHA1
20d5c8caa8f8c2a9be2ad47b7bcf8801c0e2ae37

SHA256
950500f83a8dc5efbd8ca81ee9352b450a58c923f7f16b3c246c68525093f257

SHA512
eb14fcd15106fb6f2021a41f865b8b740f9d0823d8faa030b60e6cef1116e71998b13841dbae2f844dc756ae1140845f60e7c4937bb72d4f438c4b52aafa3e42

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\windows10manager.exe

Filesize
6.5MB

MD5
0cdbd6b593dd675ef3f9e1d970486488

SHA1
bf2a94dcffbbe516a3664510d68d6cca2dc8c14b

SHA256
3e14c499aacc829b84529fda53f53412729aa97d5e92b7f6a560e3760b671865

SHA512
7a4da2a193ad00d3749dcb731384de0c350e364e0f891fc735c907916869ed7be607671dd1d77e73688e52c3af2799fcc8d15b9da0432340404bc3967a25fc14

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\AutoPlay\Docs\windows10manager.exe

Filesize
7.7MB

MD5
da6b4a1f96c0540e073105a92ff99854

SHA1
aeacd9e0c7daef55d1add9037b87724324daecaf

SHA256
d452d452135beb134d05ff50492ba949f86a46d4a6f9bd266270b44018e52162

SHA512
24d94b5e589c065a23af5ea4f754bb9aedd7f8459cd4324a41c6ce138e1dde01b32b74d1d14f58d15294a29f54d8df2dc7870cb02bc8d41a83b6c9e83184baac

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\autorun.exe

Filesize
3.6MB

MD5
d6931fcc1c0dcfba4af3745a932ab544

SHA1
893167bb3345055c0fb42e7a3b0f74e4ce43dd05

SHA256
5cf359af85e4348fed46f7b6c6ebb7ef495a2928f5c79ea94458d4b0e9218cf2

SHA512
ff03aa902f7839aa70f005bc6a523b4ab94efff4704868204c3ec84c95fbdfdbff27b14b84302d89a769373d64db2fa5a472fe32fd082e5ab31c833c019fcd82

Download Submit
\Users\Admin\AppData\Local\Temp\ir_ext_temp_0\lua5.1.dll

Filesize
327KB

MD5
50f1d9f2093914c7712068608f3d66f2

SHA1
c38c655526b9ba929f01259cd35abb65744448f0

SHA256
ebeb211dfe4fce993d63206b2e3f284b569274db4730a8ee341ee81eccac9a5f

SHA512
07841d260770288f34b3e6413f6044742d82794d0812d9d58ebb2b881f935ee7661c94acddcf3a25817a98168789de0e0e0a98baaddbac2ec097a3efdd22c9ac

Download Submit