82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6

Analysis

max time kernel
138s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Size

1.1MB
MD5

602faf2b2861a0daaa40542abf823102
SHA1

da12ddc68e3e679be0ca0874e01003ea8fa354ef
SHA256

82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6
SHA512

e027f8b63f9ded1ef561005fac56ff01d11e12a41f2dff7353d67ffffa3d3e401c2c78686ddbb6faa77085c473dc4dd5dca1d0595affbd91afe0545510c85450
SSDEEP

24576:WxWVeyRYEwzYDteYIpLU4O8b8ITDnlieqiG:W8YBU4O8b8ITDnlieqv

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MicrosoftOneDriveSetup26962 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe"	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OneDriveSetupOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe"	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hidtelephonydriver.inf_amd64_43fa6b1db642df7e\WindowsMicrosoft.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_x86_c62e9f8067f98247\I386\SystemPJLMON.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\pspluginwkrMicrosoft.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\RCX3370.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe

Drops file in Program Files directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterdllchromeelf2.1.0.461930603.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ReaderViewerPS.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\SystemOperating.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\RCX81E8.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeWCChromeNativeMessagingHost19.10.20064.310990.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeWCChromeNativeMessagingHost19.10.20064.310990.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\pluginprcr.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AcrobatAdobe.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX8AF3.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\MicrosoftWindows.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeWCChromeNativeMessagingHost.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\ContractVisualStudio.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCX8208.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\RCX70EB.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\MicrosoftWindows.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\RCX799A.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX94BB.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\RCX709C.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\en-US\RCX70FC.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\RCX797A.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCX93FF.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX9D49.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCX9DB7.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\RCX8228.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RCX8B81.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AcrobatAiod.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX950A.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\MicrosoftEppManifest.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterdllchromeelf2.1.0.461930603.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\MicrosoftEppManifest.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeWCChromeNativeMessagingHost.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCX7959.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AdobeNPPDF32.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AdobeAiod.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ReaderViewerPS.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\ControlControl.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\BrowserClient92.0.902.67.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\AdobeAcrobat.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCX8BA1.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..access-unifiedstore_31bf3856ad364e35_10.0.19041.1_none_b6caeb8284c6f970\UnistoreSystem.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..etoolsmqq.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_786e67996d4c3087\WindowsWindows10.0.19041.1.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_system.design.resources_b03f5f7f11d50a3a_4.0.15805.0_it-it_520fb5de6199bfb0\Microsoftresources.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\v4.0_3.0.0.0_es_31bf3856ad364e35\Windowsoperativo.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Boot\EFI\es-ES\MicrosoftWindows.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\d45411995fcf227e7ae64fc50d491d23\SystemActivities.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\d45411995fcf227e7ae64fc50d491d23\RCX33B0.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\en-US\RCXC15E.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..in-gpedit.resources_31bf3856ad364e35_10.0.19041.1_it-it_47ca535473e08f1a\gpeditWindows.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.19041.264_none_53476533f18dc602\Windowsgdiplus.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-gdi_31bf3856ad364e35_10.0.19041.264_none_87b4b95ab967b582\TypeOperating.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..lfeatures.resources_31bf3856ad364e35_10.0.19041.1_it-it_753da63b7aea7a18\Microsoftoperativo.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-accountsrt_31bf3856ad364e35_10.0.19041.264_none_0d7b2f9f635b8d49\SystemWindows10.0.19041.264.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MicrosoftMicrosoft.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MicrosoftMicrosoft.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Boot\EFI\WindowsOperating.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-eapteapext_31bf3856ad364e35_10.0.19041.1_none_5a0c0ba03c76165d\SystemWindows.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft.build.engine.resources_b03f5f7f11d50a3a_4.0.15805.0_fr-fr_e1aeb388edbc2c95\Microsoftresources.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-setupcl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_f2c2c1b8794e72f3\dexploitationSystme.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Boot\EFI\el-GR\bootmgrbootmgr10.0.19041.1.160101.0800.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Boot\Misc\PCAT\bootspacesbootspaces10.0.19041.844.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Boot\PCAT\it-IT\Microsoftmemdiag.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..in-gpedit.resources_31bf3856ad364e35_10.0.19041.1_de-de_122eb431bad795d0\Windowsgpedit.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-o..tiveportal.appxmain_31bf3856ad364e35_10.0.19041.1_none_f830216e59eee182\OOBECaptivePortalFlowOperating.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-van.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c92f0e367f517c6e\MicrosoftWindows.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..cingstack-onecoreds_31bf3856ad364e35_10.0.19041.1220_none_291ad8d1d6dfb49e\MicrosoftWindows.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Tpm.Commands.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\RCXA62.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\msil_system.xml.resources_b77a5c561934e089_10.0.19041.1_es-es_383433c5b111c05c\MicrosoftFramework2.0.50727.91496.0507279100.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-playtodevice-dll_31bf3856ad364e35_10.0.19041.1_none_252fb59b00636623\WindowsMicrosoft.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ipconfig_31bf3856ad364e35_10.0.19041.1_none_0c7fa8d5ebaceac7\Microsoftipconfig.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CertificateServices.PKIClient.Cmdlets.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\RCXC16F.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Boot\EFI\ja-JP\memdiagSystem.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\es\resourcesMSBuild3.5.30729.9135.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\OperatingMicrosoft.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\OperatingMicrosoft.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..l-library.resources_31bf3856ad364e35_10.0.19041.1_de-de_9942afdeefabb024\WindowsMicrosoft10.0.19041.1.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-i..-japanese_nec_win95_31bf3856ad364e35_10.0.19041.1_none_38954f0b852b8b08\WindowsOperating.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-wincredui.resources_31bf3856ad364e35_10.0.19041.1_it-it_ee8d193f6a5c709f\Sistemaoperativo.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime\v4.0_4.0.0.0__b03f5f7f11d50a3a\RCX7D5F.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CertificateServices.PKIClient.Cmdlets.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\WindowsSystem.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Boot\PCAT\qps-ploc\StemmrI1Zs.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..istration.resources_31bf3856ad364e35_10.0.19041.1_de-de_f68f68fd78290aa0\BetriebssystemMicrosoft.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_10.0.19041.1_none_aa1fc2e87b362d12\Systemregedt32.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Office.Tools.v4.0.Framework\v4.0_10.0.0.0__b03f5f7f11d50a3a\OfficeTools.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\IME\IMETC\DICTS\SystemMSHWCHT.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..clientext.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_4b048b7c4a808f8d\WindowsOperating.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-icm-ui.resources_31bf3856ad364e35_10.0.19041.1_en-us_f2836caa410e0eb2\Windowscolorcpl10.0.19041.1.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_netfx-mscorjit_dll_b03f5f7f11d50a3a_10.0.19041.1_none_38981071adb34993\mscorjitmscorjit2.0.50727.91496.0507279100.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..lishing-wmiprovider_31bf3856ad364e35_10.0.19041.1151_none_aa086da848b2c07b\TSSignToolMicrosoft10.0.19041.1151.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Tpm.Commands.Resources\v4.0_10.0.0.0_fr_31bf3856ad364e35\dexploitationWindows.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\RCXC19F.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Windows\IME\IMETC\DICTS\RCX4EB1.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-x..lugin-mui.resources_31bf3856ad364e35_10.0.19041.1_it-it_986b04142ddadd06\xwtpw32operativo.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-refs.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0b42ed22ae518b2b\refsWindows.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..lient-aux.resources_31bf3856ad364e35_10.0.19041.1266_en-us_2349fda40e0c3826\Systemwuapi.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_system.runtime.caching.resources_b03f5f7f11d50a3a_4.0.15805.0_ja-jp_29954fe9621a414a\CachingSystem.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_msbuild.resources_b03f5f7f11d50a3a_4.0.15805.0_it-it_681d7ce226edc05b\Frameworkresources.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..tivexcore.resources_31bf3856ad364e35_10.0.19041.1_de-de_80c1e89c36fdce3c\mstscaxtsgqec.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Office.Tools.v4.0.Framework\v4.0_10.0.0.0__b03f5f7f11d50a3a\RCX33EF.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\es\RCXA82.tmp	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Boot\EFI\zh-TW\memdiagWindows.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\Microsoft.NET\Framework64\WindowsSystem.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-directx-direct3d10.1_31bf3856ad364e35_10.0.19041.1_none_106f353b7d505f70\D3D101CoreSystem.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_10.0.19041.1_ko-kr_732160aabf0235cd\comdlg32Microsoft.exe	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
4048	82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe

C:\Users\Admin\AppData\Local\Temp\82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe
"C:\Users\Admin\AppData\Local\Temp\82d89e3fab978e9f67268fb11d055d9908d364d3b608dd351220383a1ee5f6f6.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AcrobatAdobe.exe

Filesize
1.1MB

MD5
a3c29744d45f31ccc934c6e43545a52f

SHA1
91c510f1675884e372493e7dc4d4406fe4ad5565

SHA256
26f900f7ee7c977a22e8c0150680499d69005652bfab0d6d2f1b462cab169346

SHA512
107e43403dde2c498a0c93b3fd61bf40c7ca6b0f24b0e93210535c430666f30ff61654a5000fda164449d8bbca3e18a38880298325ff73b084b0d1d83238813b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\AdobeWCChromeNativeMessagingHost.exe

Filesize
1.1MB

MD5
a61e4dc63ebf49e0f0f173a8df11763d

SHA1
2647b0898379fc8e6f40a26bf30f610c59aea201

SHA256
2f59e8a91387606d94f096c09e2ea44789526ada0bf6aa5f7c86643f72b5c90d

SHA512
5fc6772bf31be2df5b9d3104fdbfba61820504975e86468aca9711ed13b0981b1b41e7679b5e342c12cbefff8df7ca91b663c148f7a93fc1804cfeee036bc0ae

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ReaderViewerPS.exe

Filesize
1.1MB

MD5
875c458b1d4ff1c37185b494968716e4

SHA1
29f1d7f08cae906fdbc7f7c15367fe917c8d50f1

SHA256
332687e1ba086a20298fcfe336834f1ca107c4a6e4ec19f2120847da63130e32

SHA512
d781fbead68e7784b94468c37fa181b3347a4eb445eb6b79ebf5ad852c649e18da80ce8abe183bb3d00693e7b4b95cf84fa001c59238d29cc5b92fce6815c64d

Download Submit
C:\Program Files (x86)\Windows Defender\de-DE\MicrosoftEppManifest.exe

Filesize
448KB

MD5
7d41a96c6f4d84ddf8d5290ee601687d

SHA1
9514ca828a52ce12fd89ac5fa34d4bdec1a7824a

SHA256
c8beca6b02b3403375d5394186577e5c153624da0537df7d3ac4c4d728c442d6

SHA512
1fbd5240bfab6d881fe5b7834d9e6be59a5f825b5ce7fe4f4aaf71fe6ee50342b89ea5db2eaa0fd8954f5db227d3670866de5d9e7dc8d6ab242690655c5b497f

Download Submit
C:\Program Files (x86)\Windows Media Player\en-US\RCX70FC.tmp

Filesize
448KB

MD5
4ace372885ce0cd91163fd8a15d0bbd5

SHA1
5055c3b5838bcef793ac4833051b4a63b0b9563a

SHA256
988ef96226de30806a4e5374677a3a685c70c28c4f73fe702a27fd37fcd8cb2b

SHA512
d3694c48882a5c40f08abdd133e37242a291529e3458f54e21b3eca0ee99fe46e37aefc3e9e3c4e1008490ad583307cd599ff434d48aae2e757b8f6751d0e4bb

Download Submit