52e3b8475e965eb56f57978fc88186f7408bc2f66b115d5f2c73e6fc8addfedb

Analysis

max time kernel
119s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 20:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e813f229750803c23008c8be5548d9e0N.exe
Size

9.9MB
MD5

e813f229750803c23008c8be5548d9e0
SHA1

d0c5b58feb3ee9010604351bef8ba6e9eb3e5593
SHA256

52e3b8475e965eb56f57978fc88186f7408bc2f66b115d5f2c73e6fc8addfedb
SHA512

74a47b3d3f7253def4b874a3aae190f9d714305bef30a48b07c4cd959797175faf5c77efc87667b2d096356cf9215a8e9ea51eda2ddb73107ff9647a313a5eb4
SSDEEP

196608:vmqnhgJuP3LAhCiVXCWeZLsA1oMuWr45hrr27:/S+LVReJWGhrr27

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MicrosoftInstaller41 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e813f229750803c23008c8be5548d9e0N.exe"	e813f229750803c23008c8be5548d9e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\miniinstallerOneDrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e813f229750803c23008c8be5548d9e0N.exe"	e813f229750803c23008c8be5548d9e0N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ntdll.dll.dll	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\pspluginwkrPSEvents.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\RCX9B41.tmp	e813f229750803c23008c8be5548d9e0N.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\NPPDF32Acrobat.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\en-US\RCXD802.tmp	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\libGLESv2libEGL.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\RCXD8AF.tmp	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\RCXF48C.tmp	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\it-IT\RCXE11D.tmp	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\DAO360Microsoft.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\en-US\msdaprsrmsadcor.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\RCXEAA4.tmp	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\AcrobatAdobe.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\CreateAdobe.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\MicrosoftFramework.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Common Files\System\msadc\en-US\Microsoftmsdaprsr.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCXF3FE.tmp	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCXF529.tmp	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\MicrosoftFramework.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\AdobeNPPDF32.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\RCXEB51.tmp	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterchromeelf.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RCXFF5C.tmp	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCXFFDA.tmp	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAiod.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\ControlBrowser19.10.20064.310990.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Common Files\System\ado\it-IT\msader15Operating10.0.19041.1.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\RCXE1BA.tmp	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\RCXFE71.tmp	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtilsReader.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodAdobe.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\RCXD784.tmp	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\en-US\RCXE060.tmp	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\CreateAdobe.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtilsReader.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX73E.tmp	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Common Files\System\ado\OperatingWindows.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\RCXEBDF.tmp	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterchromeelf.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\AdobeNPPDF32.exe	e813f229750803c23008c8be5548d9e0N.exe

Drops file in Windows directory 46 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..oryclient.resources_31bf3856ad364e35_10.0.19041.1_es-es_775b0f3668ac487e\Sistemaoperativo.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..engineres.resources_31bf3856ad364e35_10.0.19041.1_it-it_c6a854b1b4d7e07f\Windowssberes.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-r..erycenter.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_e0257df014b3aa97\dexploitationRECOVERY.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-crypt32-dll.resources_31bf3856ad364e35_10.0.19041.1_de-de_db2715196ac5ef55\MicrosoftCRYPT32.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.resources\v4.0_10.0.0.0_de_b03f5f7f11d50a3a\RCX27E8.tmp	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Tpm.Commands.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\RCX6BBA.tmp	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\RCX6C67.tmp	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..setupmanagerservice_31bf3856ad364e35_10.0.19041.844_none_d0c8c10b5cfbc3cd\OperatingDeviceSetupManager.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-netevent.resources_31bf3856ad364e35_10.0.19041.1_de-de_8f88b4d96c16d246\MicrosoftWindows.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\RCX6E7B.tmp	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Tpm.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\RCX277A.tmp	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_dual_bthprint.inf_31bf3856ad364e35_10.0.19041.1_none_b3cbe0a238956cbe\bthprintbthprint.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..rtmonitor.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_39fc0f8079d792a2\SystemMicrosoft10.0.19041.1.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..i-printui.resources_31bf3856ad364e35_10.0.19041.1_de-de_7181fc178ee93045\printuiBetriebssystem.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..-optional.resources_31bf3856ad364e35_11.0.19041.1_fr-fr_1ec84d0fe2a37514\IEXPLOREiexplore.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\MiguiControls\v4.0_1.0.0.0__31bf3856ad364e35\RCXE117.tmp	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\resourcesSystem.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.DynamicData.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\RCXE280.tmp	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..onservice.resources_31bf3856ad364e35_10.0.19041.1_it-it_da4362cbcfd88975\operativooperativo.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\3.5.0.0__b77a5c561934e089\RCX9CE9.tmp	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\MiguiControls\v4.0_1.0.0.0__31bf3856ad364e35\MIGUIControlsSystem.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\Microsoft.NET\Framework\v3.5\TasksFramework.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..agnostics.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_81ef0c604569a98b\WindowsDiagnostics.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\msil_microsoft.web.management.ftp.resources_31bf3856ad364e35_10.0.19041.1_it-it_ae0b79a3ede58cda\InternetMicrosoft.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-win32k_31bf3856ad364e35_10.0.19041.264_none_96d51a9cf96821f6\WindowsWindows.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.resources\v4.0_10.0.0.0_de_b03f5f7f11d50a3a\VisualBasicMicrosoft.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..necoreuap.resources_31bf3856ad364e35_10.0.19041.1_es-es_e6f017b66bfe4cd7\MicrosoftWindows.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..urepassword-library_31bf3856ad364e35_10.0.19041.746_none_ef08c10707cf94a2\WindowsWindows.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..enhancementoverride_31bf3856ad364e35_10.0.19041.153_none_0e3fe4486908c99e\WindowsWindows.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\TasksFramework.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Tpm.Commands.Resources\v4.0_10.0.0.0_es_31bf3856ad364e35\Microsoftresources.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\CommandsWindows.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..c-keyenum.resources_31bf3856ad364e35_10.0.19041.1_en-us_233ca27afa9e0258\WindowsOperating10.0.19041.1.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-winrsplugins.resources_31bf3856ad364e35_10.0.19041.1_de-de_c69e8baa70e4e6f0\winrsMicrosoft.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.OracleClient.resources\v4.0_4.0.0.0_es_b77a5c561934e089\FrameworkData.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Tpm.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\resourcesMicrosoft.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\resourcesProtocols.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\RCX2857.tmp	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..cingstack.resources_31bf3856ad364e35_10.0.19041.1_it-it_cf55916efe4b9a59\operativoMicrosoft10.0.19041.1.160101.0800.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\WindowsSistema.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.ApplicationId.RuleWizard.Resources\v4.0_10.0.0.0_it_31bf3856ad364e35\RCX9C0E.tmp	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..vices-configbackend_31bf3856ad364e35_10.0.19041.746_none_bee2ecb684c7fdfd\OperatingWindows10.0.19041.746.160101.0800.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\WinSxS\amd64_presentationframework-systemxml_b77a5c561934e089_4.0.15805.0_none_f77c62f0ff74d234\MicrosoftPresentationFrameworkSystemXml.exe	e813f229750803c23008c8be5548d9e0N.exe
File created	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\3.5.0.0__b77a5c561934e089\MicrosoftFramework.exe	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.OracleClient.resources\v4.0_4.0.0.0_es_b77a5c561934e089\RCXE32D.tmp	e813f229750803c23008c8be5548d9e0N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\resourcesProtocols.exe	e813f229750803c23008c8be5548d9e0N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e813f229750803c23008c8be5548d9e0N.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	e813f229750803c23008c8be5548d9e0N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	e813f229750803c23008c8be5548d9e0N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	e813f229750803c23008c8be5548d9e0N.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe
2340	e813f229750803c23008c8be5548d9e0N.exe

C:\Users\Admin\AppData\Local\Temp\e813f229750803c23008c8be5548d9e0N.exe
"C:\Users\Admin\AppData\Local\Temp\e813f229750803c23008c8be5548d9e0N.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\widevinecdmadapterchromeelf.exe

Filesize
9.9MB

MD5
cba7481d07380c0708f348c7a37f5516

SHA1
6600340209d2b559471c710c14497ef4a5c8d8b3

SHA256
10d2de1b7e7c24481b1349b5b0256ce6a322f1ec09e8399c0ea4dcb4e8df3036

SHA512
6e0e282b56d2cfafa7d0711670bc85c5b8a4eb57b1451891d2d87e4770bf60a244c26ec1aecbf3ef41ba1e109b53ac1b37fab75fed39636146c68ef538592308

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\CreateAdobe.exe

Filesize
10.0MB

MD5
1e8269715b454ed686c31e4acb71da5d

SHA1
33c206a0c8d8c397079fb331b3a3df78beb50585

SHA256
a2a2ae0469b92e0ae7462c84547ccf31980ebf78823f5a9e313ffd4ec7579bd5

SHA512
beb39e144e49ee071704573e8e4d1ed5a289b45c1c1840bd2947cec2838a5c71884abb0616ac0c038eba31b1c9dda35d46ed20954f49f86bf337c181d7137e7f

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\DAO360Microsoft.exe

Filesize
9.9MB

MD5
9a01d0944e62069f19e94256d3e3f36c

SHA1
d67e84aa7a96a403ff9fd101cab8bb0fe3ff755c

SHA256
1c8c20178d1d01b6978d9bf91fdc5e5215a2aeca692bdee5b04c603481d9423a

SHA512
56fef08137287b880ad5ea74a469359849e881ffb3cb66e8ab80c7a0a7b5495ca7f881fa4ffc333088f22be6e663cfc7c69145d9524423c14dd552ef409b4f41

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\swiftshader\RCXD8AF.tmp

Filesize
9.9MB

MD5
88335a3d4fad0bef3ed8771eb2af4fd8

SHA1
ad0235dfdcb1ac69d67db46412c03e0ccc65281d

SHA256
4ace185834bb48276a5f68cf290bb83e90924c85bab1b524b53c1e912772006c

SHA512
5e4b291c1aef5e652a9030a10d818e3881d90e787061e6b3a2aff2248d3c7bc018a24ce3bf957b144b70b098801b9ad0f34cafbd46761bf01aec2f63fa5db29c

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\MicrosoftFramework.exe

Filesize
9.9MB

MD5
e813f229750803c23008c8be5548d9e0

SHA1
d0c5b58feb3ee9010604351bef8ba6e9eb3e5593

SHA256
52e3b8475e965eb56f57978fc88186f7408bc2f66b115d5f2c73e6fc8addfedb

SHA512
74a47b3d3f7253def4b874a3aae190f9d714305bef30a48b07c4cd959797175faf5c77efc87667b2d096356cf9215a8e9ea51eda2ddb73107ff9647a313a5eb4

Download Submit