3026d639ac3de01d4e8b07c5a23c76a0940d44230064ea7c988e89971e13da86

Analysis

max time kernel
112s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a8c5685cc0152fe9f76a0cae0cd9140N.exe
Size

241KB
MD5

1a8c5685cc0152fe9f76a0cae0cd9140
SHA1

d1f2d57d7e4336ea4245d4f1bb19ebf723ed1af1
SHA256

3026d639ac3de01d4e8b07c5a23c76a0940d44230064ea7c988e89971e13da86
SHA512

05ec5df5b216022452ba615b347b5b9dc5f7fb0591113a47920fdde7a3cdc1a17b9263f4cdc3ab4fce6d53c6c1afc48510e09f187351c0bdbe0bb92ac44165a7
SSDEEP

6144:DfL+oq5k4pr3l+O/LE11c7ojuZUvyejrRj:DfLCkmI11GojuHefRj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 44 IoCs

pid	Process
2468	anxiety.exe
2776	anxiety.exe
3040	spermicide.exe
832	spermicide.exe
2704	anxiety.exe
108	anxiety.exe
2132	spermicide.exe
2380	spermicide.exe
2940	anxiety.exe
1000	anxiety.exe
2276	spermicide.exe
2124	spermicide.exe
2336	anxiety.exe
2284	anxiety.exe
2240	spermicide.exe
1704	spermicide.exe
2232	anxiety.exe
236	anxiety.exe
1012	spermicide.exe
1164	spermicide.exe
320	anxiety.exe
1148	anxiety.exe
920	spermicide.exe
2580	spermicide.exe
2588	anxiety.exe
2504	anxiety.exe
2640	spermicide.exe
2960	spermicide.exe
2804	anxiety.exe
644	anxiety.exe
2708	spermicide.exe
2616	spermicide.exe
2404	anxiety.exe
1828	anxiety.exe
1552	spermicide.exe
2948	spermicide.exe
2156	anxiety.exe
1296	anxiety.exe
1036	spermicide.exe
2200	spermicide.exe
2328	anxiety.exe
2188	anxiety.exe
2224	spermicide.exe
292	spermicide.exe

Loads dropped DLL 64 IoCs

pid	Process
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2468	anxiety.exe
2468	anxiety.exe
2468	anxiety.exe
2776	anxiety.exe
2776	anxiety.exe
2776	anxiety.exe
3040	spermicide.exe
3040	spermicide.exe
3040	spermicide.exe
832	spermicide.exe
832	spermicide.exe
832	spermicide.exe
2704	anxiety.exe
2704	anxiety.exe
2704	anxiety.exe
108	anxiety.exe
108	anxiety.exe
108	anxiety.exe
2132	spermicide.exe
2132	spermicide.exe
2132	spermicide.exe
2380	spermicide.exe
2380	spermicide.exe
2380	spermicide.exe
2940	anxiety.exe
2940	anxiety.exe
2940	anxiety.exe
1000	anxiety.exe
1000	anxiety.exe
1000	anxiety.exe
2276	spermicide.exe
2276	spermicide.exe
2276	spermicide.exe
2124	spermicide.exe
2124	spermicide.exe
2124	spermicide.exe
2336	anxiety.exe
2336	anxiety.exe
2336	anxiety.exe
2284	anxiety.exe
2284	anxiety.exe
2284	anxiety.exe
2240	spermicide.exe
2240	spermicide.exe
2240	spermicide.exe
1704	spermicide.exe
1704	spermicide.exe
1704	spermicide.exe
2232	anxiety.exe
2232	anxiety.exe
2232	anxiety.exe
236	anxiety.exe
236	anxiety.exe
236	anxiety.exe
1012	spermicide.exe
1012	spermicide.exe
1012	spermicide.exe
1164	spermicide.exe
1164	spermicide.exe
1164	spermicide.exe
320	anxiety.exe
320	anxiety.exe
320	anxiety.exe
1148	anxiety.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2468	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	29
PID 1944 wrote to memory of 2468	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	29
PID 1944 wrote to memory of 2468	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	29
PID 1944 wrote to memory of 2468	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	29
PID 1944 wrote to memory of 2776	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	30
PID 1944 wrote to memory of 2776	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	30
PID 1944 wrote to memory of 2776	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	30
PID 1944 wrote to memory of 2776	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	30
PID 1944 wrote to memory of 3040	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	31
PID 1944 wrote to memory of 3040	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	31
PID 1944 wrote to memory of 3040	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	31
PID 1944 wrote to memory of 3040	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	31
PID 1944 wrote to memory of 832	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	32
PID 1944 wrote to memory of 832	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	32
PID 1944 wrote to memory of 832	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	32
PID 1944 wrote to memory of 832	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	32
PID 1944 wrote to memory of 2704	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	33
PID 1944 wrote to memory of 2704	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	33
PID 1944 wrote to memory of 2704	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	33
PID 1944 wrote to memory of 2704	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	33
PID 1944 wrote to memory of 108	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	34
PID 1944 wrote to memory of 108	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	34
PID 1944 wrote to memory of 108	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	34
PID 1944 wrote to memory of 108	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	34
PID 1944 wrote to memory of 2132	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	35
PID 1944 wrote to memory of 2132	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	35
PID 1944 wrote to memory of 2132	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	35
PID 1944 wrote to memory of 2132	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	35
PID 1944 wrote to memory of 2380	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	36
PID 1944 wrote to memory of 2380	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	36
PID 1944 wrote to memory of 2380	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	36
PID 1944 wrote to memory of 2380	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	36
PID 1944 wrote to memory of 2940	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	37
PID 1944 wrote to memory of 2940	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	37
PID 1944 wrote to memory of 2940	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	37
PID 1944 wrote to memory of 2940	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	37
PID 1944 wrote to memory of 1000	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	38
PID 1944 wrote to memory of 1000	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	38
PID 1944 wrote to memory of 1000	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	38
PID 1944 wrote to memory of 1000	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	38
PID 1944 wrote to memory of 2276	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	39
PID 1944 wrote to memory of 2276	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	39
PID 1944 wrote to memory of 2276	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	39
PID 1944 wrote to memory of 2276	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	39
PID 1944 wrote to memory of 2124	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	40
PID 1944 wrote to memory of 2124	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	40
PID 1944 wrote to memory of 2124	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	40
PID 1944 wrote to memory of 2124	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	40
PID 1944 wrote to memory of 2336	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	41
PID 1944 wrote to memory of 2336	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	41
PID 1944 wrote to memory of 2336	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	41
PID 1944 wrote to memory of 2336	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	41
PID 1944 wrote to memory of 2284	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	42
PID 1944 wrote to memory of 2284	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	42
PID 1944 wrote to memory of 2284	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	42
PID 1944 wrote to memory of 2284	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	42
PID 1944 wrote to memory of 2240	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	43
PID 1944 wrote to memory of 2240	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	43
PID 1944 wrote to memory of 2240	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	43
PID 1944 wrote to memory of 2240	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	43
PID 1944 wrote to memory of 1704	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	44
PID 1944 wrote to memory of 1704	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	44
PID 1944 wrote to memory of 1704	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	44
PID 1944 wrote to memory of 1704	1944	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	44

C:\Users\Admin\AppData\Local\Temp\1a8c5685cc0152fe9f76a0cae0cd9140N.exe
"C:\Users\Admin\AppData\Local\Temp\1a8c5685cc0152fe9f76a0cae0cd9140N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2468
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:832
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:108
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2132
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1000
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2124
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2240
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:236
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:320
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1148
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:920
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2708
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso22CD.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
\Users\Admin\AppData\Local\Temp\nso22CD.tmp\anxiety.exe

Filesize
189KB

MD5
9101a7f1e09281d413ece6d825020d92

SHA1
9df34287601a77e65cec58843474108dd0309f54

SHA256
781c6b118a97dd0301788d1882b18242d2768ad40752cb622f70e80d7e3a0a88

SHA512
8f3e5068f47817593ddd3eeb48848a1a49ffbb62fbc935c3d90757625ab3aec2e19f34d45b583dbe39dbd5cad11e00e0eb888dda6ffa9952b0851d0ada616425

Download Submit
\Users\Admin\AppData\Local\Temp\nso22CD.tmp\spermicide.exe

Filesize
139KB

MD5
fda656c75b581d0dce6537d159052bcd

SHA1
a06523896f54e51a1a7269356634cc0bbb069edd

SHA256
4ce66c1b06bab37a85a93c5e7d7c9ba6f79da608fab33a00c44b8b0a9443309d

SHA512
8e7928c0e0439da880b7f2b036aa4f89cabb365bfe83c17184336580101c96d3b1f2c2ddc254a99a73d7cd0e203c40a1b22f68ad803070d2537c82fb95718106

Download Submit