3026d639ac3de01d4e8b07c5a23c76a0940d44230064ea7c988e89971e13da86

Analysis

max time kernel
96s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a8c5685cc0152fe9f76a0cae0cd9140N.exe
Size

241KB
MD5

1a8c5685cc0152fe9f76a0cae0cd9140
SHA1

d1f2d57d7e4336ea4245d4f1bb19ebf723ed1af1
SHA256

3026d639ac3de01d4e8b07c5a23c76a0940d44230064ea7c988e89971e13da86
SHA512

05ec5df5b216022452ba615b347b5b9dc5f7fb0591113a47920fdde7a3cdc1a17b9263f4cdc3ab4fce6d53c6c1afc48510e09f187351c0bdbe0bb92ac44165a7
SSDEEP

6144:DfL+oq5k4pr3l+O/LE11c7ojuZUvyejrRj:DfLCkmI11GojuHefRj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 37 IoCs

pid	Process
4104	anxiety.exe
5056	anxiety.exe
4916	spermicide.exe
4656	spermicide.exe
2448	anxiety.exe
1548	anxiety.exe
3320	spermicide.exe
2816	spermicide.exe
1932	anxiety.exe
216	anxiety.exe
1684	spermicide.exe
1648	spermicide.exe
4620	anxiety.exe
3492	anxiety.exe
4172	spermicide.exe
1384	spermicide.exe
428	anxiety.exe
3208	anxiety.exe
3528	spermicide.exe
4504	spermicide.exe
4324	anxiety.exe
2348	anxiety.exe
1392	spermicide.exe
1736	spermicide.exe
3104	anxiety.exe
4204	anxiety.exe
3868	spermicide.exe
3064	spermicide.exe
2868	anxiety.exe
4176	anxiety.exe
2624	spermicide.exe
4684	spermicide.exe
1292	anxiety.exe
4592	anxiety.exe
1140	spermicide.exe
3680	spermicide.exe
3596	anxiety.exe

Loads dropped DLL 1 IoCs

pid	Process
4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a8c5685cc0152fe9f76a0cae0cd9140N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spermicide.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4104	anxiety.exe
4104	anxiety.exe
4104	anxiety.exe
4104	anxiety.exe
5056	anxiety.exe
5056	anxiety.exe
5056	anxiety.exe
5056	anxiety.exe
4916	spermicide.exe
4916	spermicide.exe
4916	spermicide.exe
4916	spermicide.exe
4656	spermicide.exe
4656	spermicide.exe
4656	spermicide.exe
4656	spermicide.exe
2448	anxiety.exe
2448	anxiety.exe
2448	anxiety.exe
2448	anxiety.exe
1548	anxiety.exe
1548	anxiety.exe
1548	anxiety.exe
1548	anxiety.exe
3320	spermicide.exe
3320	spermicide.exe
3320	spermicide.exe
3320	spermicide.exe
2816	spermicide.exe
2816	spermicide.exe
2816	spermicide.exe
2816	spermicide.exe
1932	anxiety.exe
1932	anxiety.exe
1932	anxiety.exe
1932	anxiety.exe
216	anxiety.exe
216	anxiety.exe
216	anxiety.exe
216	anxiety.exe
1684	spermicide.exe
1684	spermicide.exe
1684	spermicide.exe
1684	spermicide.exe
1648	spermicide.exe
1648	spermicide.exe
1648	spermicide.exe
1648	spermicide.exe
4620	anxiety.exe
4620	anxiety.exe
4620	anxiety.exe
4620	anxiety.exe
3492	anxiety.exe
3492	anxiety.exe
3492	anxiety.exe
3492	anxiety.exe
4172	spermicide.exe
4172	spermicide.exe
4172	spermicide.exe
4172	spermicide.exe
1384	spermicide.exe
1384	spermicide.exe
1384	spermicide.exe
1384	spermicide.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 4104	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	84
PID 4500 wrote to memory of 4104	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	84
PID 4500 wrote to memory of 5056	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	90
PID 4500 wrote to memory of 5056	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	90
PID 4500 wrote to memory of 4916	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	92
PID 4500 wrote to memory of 4916	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	92
PID 4500 wrote to memory of 4916	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	92
PID 4500 wrote to memory of 4656	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	95
PID 4500 wrote to memory of 4656	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	95
PID 4500 wrote to memory of 4656	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	95
PID 4500 wrote to memory of 2448	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	101
PID 4500 wrote to memory of 2448	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	101
PID 4500 wrote to memory of 1548	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	102
PID 4500 wrote to memory of 1548	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	102
PID 4500 wrote to memory of 3320	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	103
PID 4500 wrote to memory of 3320	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	103
PID 4500 wrote to memory of 3320	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	103
PID 4500 wrote to memory of 2816	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	104
PID 4500 wrote to memory of 2816	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	104
PID 4500 wrote to memory of 2816	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	104
PID 4500 wrote to memory of 1932	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	105
PID 4500 wrote to memory of 1932	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	105
PID 4500 wrote to memory of 216	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	106
PID 4500 wrote to memory of 216	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	106
PID 4500 wrote to memory of 1684	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	107
PID 4500 wrote to memory of 1684	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	107
PID 4500 wrote to memory of 1684	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	107
PID 4500 wrote to memory of 1648	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	108
PID 4500 wrote to memory of 1648	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	108
PID 4500 wrote to memory of 1648	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	108
PID 4500 wrote to memory of 4620	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	111
PID 4500 wrote to memory of 4620	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	111
PID 4500 wrote to memory of 3492	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	113
PID 4500 wrote to memory of 3492	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	113
PID 4500 wrote to memory of 4172	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	114
PID 4500 wrote to memory of 4172	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	114
PID 4500 wrote to memory of 4172	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	114
PID 4500 wrote to memory of 1384	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	115
PID 4500 wrote to memory of 1384	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	115
PID 4500 wrote to memory of 1384	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	115
PID 4500 wrote to memory of 428	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	116
PID 4500 wrote to memory of 428	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	116
PID 4500 wrote to memory of 3208	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	117
PID 4500 wrote to memory of 3208	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	117
PID 4500 wrote to memory of 3528	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	118
PID 4500 wrote to memory of 3528	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	118
PID 4500 wrote to memory of 3528	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	118
PID 4500 wrote to memory of 4504	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	119
PID 4500 wrote to memory of 4504	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	119
PID 4500 wrote to memory of 4504	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	119
PID 4500 wrote to memory of 4324	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	120
PID 4500 wrote to memory of 4324	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	120
PID 4500 wrote to memory of 2348	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	121
PID 4500 wrote to memory of 2348	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	121
PID 4500 wrote to memory of 1392	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	122
PID 4500 wrote to memory of 1392	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	122
PID 4500 wrote to memory of 1392	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	122
PID 4500 wrote to memory of 1736	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	123
PID 4500 wrote to memory of 1736	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	123
PID 4500 wrote to memory of 1736	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	123
PID 4500 wrote to memory of 3104	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	125
PID 4500 wrote to memory of 3104	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	125
PID 4500 wrote to memory of 4204	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	126
PID 4500 wrote to memory of 4204	4500	1a8c5685cc0152fe9f76a0cae0cd9140N.exe	126

C:\Users\Admin\AppData\Local\Temp\1a8c5685cc0152fe9f76a0cae0cd9140N.exe
"C:\Users\Admin\AppData\Local\Temp\1a8c5685cc0152fe9f76a0cae0cd9140N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4104
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5056
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1548
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3320
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:216
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1684
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1648
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3492
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4172
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1384
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3528
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1392
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3868
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4684
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1140
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3680
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  PID:4644
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  PID:3456
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  PID:884
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  PID:4224
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  PID:3576
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  PID:1048
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe" /mute "Microsoft Edge WebView2"
  2⤵
  PID:2816
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  PID:3652
- C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe
  "C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe" /mute "Microsoft Edge WebView2"
  2⤵
  PID:3360

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x304
1⤵
PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\anxiety.exe

Filesize
189KB

MD5
9101a7f1e09281d413ece6d825020d92

SHA1
9df34287601a77e65cec58843474108dd0309f54

SHA256
781c6b118a97dd0301788d1882b18242d2768ad40752cb622f70e80d7e3a0a88

SHA512
8f3e5068f47817593ddd3eeb48848a1a49ffbb62fbc935c3d90757625ab3aec2e19f34d45b583dbe39dbd5cad11e00e0eb888dda6ffa9952b0851d0ada616425

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA27B.tmp\spermicide.exe

Filesize
139KB

MD5
fda656c75b581d0dce6537d159052bcd

SHA1
a06523896f54e51a1a7269356634cc0bbb069edd

SHA256
4ce66c1b06bab37a85a93c5e7d7c9ba6f79da608fab33a00c44b8b0a9443309d

SHA512
8e7928c0e0439da880b7f2b036aa4f89cabb365bfe83c17184336580101c96d3b1f2c2ddc254a99a73d7cd0e203c40a1b22f68ad803070d2537c82fb95718106

Download Submit