38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

16/04/2025, 11:04

250416-m58gsaz1ay 10

15/04/2025, 17:34

15/04/2025, 06:16

14/04/2025, 08:06

14/04/2025, 07:59

14/04/2025, 07:22

14/04/2025, 07:16

11/04/2025, 21:39

Analysis

max time kernel
114s
max time network
117s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250410-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250410-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
14/04/2025, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Size

355KB
MD5

b403152a9d1a6e02be9952ff3ea10214
SHA1

74fc4148f9f2979a0ec88ffa613c2147c4d5e7e5
SHA256

0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51
SHA512

0ac24ef826ae66bbba8bd5de70cb491d765ae33659452da97605701b3a39a33933f9d2795af1e8a8615cc99ae755fccc61fc44737122067eb05d7b1c435a4ec8
SSDEEP

6144:Fs3o0YvJiTQLmCUmLG0HhLjSKHkYp6dDERdBHMlU8LF:Fs3FmDL5P6YpaAt8LF

Score

3^/10

discovery

Malware Config

Signatures

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4208	1032	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1032	0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
Token: SeTcbPrivilege	4764	svchost.exe
Token: SeRestorePrivilege	4764	svchost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 4784	4764	svchost.exe	88
PID 4764 wrote to memory of 4784	4764	svchost.exe	88

C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe
"C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1616
  2⤵
  - Program crash
  PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1032 -ip 1032
1⤵
PID:3468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\system32\dashost.exe
  dashost.exe {fec32305-c04d-4ba0-a5976b6b3f4ea214}
  2⤵
  PID:4784

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\AssertExpand.mp2

Filesize
332KB

MD5
f70ccb55f9985eab5a8d0e4e50ed1cc8

SHA1
a4a984471bceebe79fd672c47e1f49b1855239a6

SHA256
969ed61d360c0c910deeace82aa72d7d02563254cd617c1994fc421ea74ba974

SHA512
d609c1a764fbc7d04db9a6373284ca52a417658288982992a7182182ba6139c277fe499583e3094851e5d46ba266ce8dc3a40b77571a83ac1b38637b0f1c7e58

Download Submit
C:\Users\Admin\Desktop\CheckpointConfirm.vssx

Filesize
606KB

MD5
243674ae65d8b436766c368f527fb2d3

SHA1
4c1583dd1273524829a8b2a4ef05f811e83da33b

SHA256
12a8b2ac2681f27bb190c857fc6bb1556be27e5920be06e9369b9265de2d6975

SHA512
532e1567b8f4511ec660f5057faa20c91aa54419eb34356c8b2ab3fac7378d2f49319cb16d52dc0eb832896e46c5e288f8d11a2c8ead56011ed7baa9d0d75ffe

Download Submit
C:\Users\Admin\Desktop\ClearStop.xlsb

Filesize
293KB

MD5
e44f18f1b04cb78e21a77d1c3fe45362

SHA1
e5ffa8f49b16aca284795fc8c5751e16cd286d6c

SHA256
1578b0c34901cd13a25675f61390eff9a66f6aff7cc435ecb9613ec1abf42385

SHA512
374e6884ff02699d48c9be4995f9d6913b8ec342c9512e41e176bac588d1bf60b2e2f034ab2a9902631111f6a78bde6ae1ef2073d98ecd63380649055a66d86d

Download Submit
C:\Users\Admin\Desktop\CompressHide.docx

Filesize
14KB

MD5
9397c0ea00a560147655d5db51e3d72c

SHA1
28677af5fdfd161794c8b9329211883779da670c

SHA256
6bea0167b68c12306ec3e1d036e9a9a53d88e554eadda74348637cbee3c9fef5

SHA512
9f8f4d118baad59473e5942ecfa4a782ccea4af3bd99caa0b021c16d4bfea1d22e80d5a6d2124705797ba092c9e5b27861e1155a503f9ff25f544336ae707050

Download Submit
C:\Users\Admin\Desktop\ConnectRestore.vsx

Filesize
449KB

MD5
23d445638fdd1e3d73c1beeeb2279a15

SHA1
4a27451a1d611aaadedde8b25a260c22ff0bffa2

SHA256
5b1a7ba4de95329ce8fad7b898b3df3ad72bf8ccb8e1a22e06eeaefcff1ab38f

SHA512
d93ee1c8dc1aafd4a3e54c85093755dfebc8dd3d4f63f6618d6f5d05c9c03b95ba88ec77e3a630f23121cba469eb48551ad9327fc6c2087b2b1e3670b5768de2

Download Submit
C:\Users\Admin\Desktop\CopyCompare.xlsx

Filesize
664KB

MD5
7999b7700de7aa868c955eb801aba438

SHA1
9a120c961cde948c2d97635f26c5ccb428db7c22

SHA256
cf0a0a48f0832d413f8eb03486d3915b39b4d34732f9fe2d9d1d631d4866e77b

SHA512
1768236ebdb8f7e1c48ab4791dfb17ac659d057adfa763c2b66a326f8e830e774669f3c3569e537d33323c772183ee215b03bf80a2da4c1fbc06c0bc85ca7032

Download Submit
C:\Users\Admin\Desktop\CopyStart.xlsb

Filesize
586KB

MD5
2cbfe8c45e5a395154af5e2ad38e0f88

SHA1
d8a140d1c47a5b1e918d04bae68225a37acbdedc

SHA256
0f2094bb8a5b39163badca4fbdd6c981b733d1b937815fec63c4b02cc15295a4

SHA512
cecb69e60ac2a0f603a00cc9785d33043114d6647feb3bc0074af192c67d40c24b2a8c28caf68974f3d5bf7d8d1125d8485e1698d1acc47f8a6424bdc4031197

Download Submit
C:\Users\Admin\Desktop\DebugResize.mp3

Filesize
645KB

MD5
8e2fd66220610f4c77b710c49342fcfa

SHA1
242029eb459b24482bae6de8006022892e7baa68

SHA256
c27a9bd5c69e1512b87e08683e40c683f5fef5bc6a41ba03d2e96655eaef0b31

SHA512
874fa65531a1df15ca957d6739511947c9ffb418c495c06d560516f9382a7ddeeea01adef0702594f3d8fb9439929ee1236de389cf975092756a77307de8b25f

Download Submit
C:\Users\Admin\Desktop\EditReceive.vsdm

Filesize
371KB

MD5
0cb5a2ac8bd6fc2a86af7741062785f7

SHA1
757b6fef952f8777ec0c817066ed563860cbc5c2

SHA256
1577fdad223ec94dacf72058ae6a3af957ca6e10b2efb40dcec8c2e7f380f97a

SHA512
b1ba0c9d5b450dba45449fe23d9bed1b362605efd902b7386dfd7fbf606c683fec520fab7194b709641429d61f9a8f83358ee8e47ee8093c16bb88b904c22640

Download Submit
C:\Users\Admin\Desktop\FormatExit.mov

Filesize
273KB

MD5
33bc9ad6056d82dfabf04f4343404461

SHA1
668f6d28106d0727f52c8c07bae09de443539430

SHA256
f94f3c5cf01159df55f74ea747caa9476620a57b7d3b47f9800bf940858c4a4f

SHA512
5c989b32032d7062373d61659aabef12290a8ca997439dddf08055f31a2a9e13a382d0a8dc3dff210de429fed20e0694930c56b9e4cb0af5dda9f9c92ca001de

Download Submit
C:\Users\Admin\Desktop\GetSet.docx

Filesize
19KB

MD5
abe4e78e843207b1291bce0d4cff8262

SHA1
407c0cec53586ff6edede94551a2c98d205a59e7

SHA256
1a8d7729352f0edaac5da24dd4a3e42332e39871aa41fd5100e44f66641621af

SHA512
65f3519e5a146dc94abcf832ff30011fc2507f247a6a31c091642d843113c8b0f62d55f8d3b9c8b3f5a46203fc0d575c0dde96896443bbe2f6dfa332a6b48392

Download Submit
C:\Users\Admin\Desktop\LimitRead.edrwx

Filesize
547KB

MD5
597ce2ff7f8ddfa2289052cc68b3d317

SHA1
a2feead75ddf1f736d75c77a24f85932a3180061

SHA256
af69eea9a8facd267a91328503b3a237e2ef0a558e59ba54fd5023dc2ef5c3d0

SHA512
90113e8ad9597956e9db1a483fd9da767bc20969d2c009dc34ac70ee9385c76fefc66818870f058d5b79258cfacc9c2031d4a6f7ede246a5631ed42548ea5d4e

Download Submit
C:\Users\Admin\Desktop\LimitRestart.7z

Filesize
312KB

MD5
990077416898c46909e3e344c088f9a7

SHA1
74cc8e1818190c7aa5c65382dd8c2d44ba58288d

SHA256
cf282c4b652eeca9701d1bc39eeb933b47e96ca40a4b8c762099648fce25d276

SHA512
90bf5e185cb02f5fdc9b11139606871c4e212c37ae1c6f6a3d8e3ada1520be2ec635834d34fd4ab5a8fa687472185e5027888ea9bf2dcce6f9282f2ca4bc623c

Download Submit
C:\Users\Admin\Desktop\MergeRestore.potm

Filesize
234KB

MD5
fbdd293af6c40911ff1039519632bb00

SHA1
f363a3b155a305ed8a2d16c28da1cf8bbe100a31

SHA256
28c2055f939ff9ea882403e8a7ae11d06ee7417de3a5d312dfd857b364bf3916

SHA512
da910843c7c54e8b5df0840ab02a90044a563fe73bb034c4738f80c23f131a6f4089f735c8064f502637beebb7d39c74642b2a89e05eb72afcdd8b2b1e51a7b7

Download Submit
C:\Users\Admin\Desktop\MountConnect.7z

Filesize
410KB

MD5
81eee51dd187c35c41e28a035be1222b

SHA1
e5590c8848a455562592f12d062f98e5ec0613c4

SHA256
aa55debce04c005061e46982a4c9190237bb847755944a5d50d8c73e97fe8476

SHA512
37461eb748e82a809571e051cb9fb09f50ce0b48c2f70e0f308eb44977f52849f0247ca66485baa9a6884d7097ee9d62230d3fe68c2ac3421aae7b0a253ba156

Download Submit
C:\Users\Admin\Desktop\ProtectEnter.rar

Filesize
430KB

MD5
baf5e96edbfd530946d8a8161c438afd

SHA1
56727e6bac85be7b7c8d9b6a9860714f87b8bc23

SHA256
7e109ff5965b80ddbda80cdc7abf4b040c599a38f4eab813f7a2fe76836a8567

SHA512
f91b10bf365a00f2ced8fca7dd2848622964e67dc89412b560293c614a115d16893e1d6b7c15d15dc5a99225e75c82c0fc8aa7b9ac72928101326599459f9994

Download Submit
C:\Users\Admin\Desktop\RegisterStop.jpeg

Filesize
508KB

MD5
ec12eb02e812581d2eb337d25ce10f0b

SHA1
311f30e58782f397562e45d76c94a40a21a66a99

SHA256
84866839d62343d38dcb6ffa0a10238e512b9e5dde9b31e294dc1f1b5b9818f5

SHA512
02c89e93cf73ab3a97f325fa5d26a738aa773d5e3be157da12ea65f9019498b3742e74cda935e84f910586f325d29da1d4ae93967edab57a0bfad4212e47d529

Download Submit
C:\Users\Admin\Desktop\ResolveHide.dwg

Filesize
625KB

MD5
b022d85cf2d54bb95c40fc746e6ffd6f

SHA1
bb710bb6721c9a3f71dc1537af508d249606c27e

SHA256
581ac18b4c38817639272d82081359cfa93089a5775a046f8cd0249abb9d6f5b

SHA512
f30cb65708faef182ea9250b8e735bdc587b9db993a9e377e3f6a6f25672498b3cac0ceb2830dd6a844310a3455231bbeec99b56aa38934a7612c1ea15064738

Download Submit
C:\Users\Admin\Desktop\ResumeMerge.docx

Filesize
19KB

MD5
4eb5b443182ecd036d5451570af95e3a

SHA1
c9bbdf6f2ffae8815f1d3f1c9338af3444f44594

SHA256
8b0139fb57869cc5993ce2c50da77320ea739d84e3db7082947c280514d81e09

SHA512
621a5ba3971854a95e44613b9a20e8c78b34f62de4d4c640b0aed54c8aa570f1fc7663235bb780b3e3de5ca269fc871790a108db273bb04bd185803a2b455d14

Download Submit
C:\Users\Admin\Desktop\RevokeSave.wax

Filesize
352KB

MD5
7abc46fa52398a705d0459bae5e47fe7

SHA1
e0ed7e4345ee9c31a6df17bb60bc0f297d70b5a9

SHA256
94e87f0a3734a9c0207c04211d5024fc9f1d9653a5bb807e163b5d78f1b6368f

SHA512
b4503b7a7870f6f4cfa11773c256114858a200a6e8f2a76389b330edea56b946002e0c0b2dc02c23958627068960ca4ffd59ca925be6b485a69e6e8c0442ed47

Download Submit
C:\Users\Admin\Desktop\SaveUnpublish.pps

Filesize
919KB

MD5
60dbb7490150737126c947092a6ed7d4

SHA1
44a35d0a9141f027d0ab84c48754ca3ceafc29b7

SHA256
0e6303b37d95e2a2948a938001a0b769a9bad0d54b40db84a6659d65a4f6fa6a

SHA512
e35a7b2edd795c05cbe8ef0e32ad5c22ba4a436d93a12723ab4ac56d7e91b4e81ca7561a8240430c95fa7d133b18230938d8737d2351bb7ffdaa8f00915c10b8

Download Submit
C:\Users\Admin\Desktop\SearchJoin.docx

Filesize
16KB

MD5
b9e3636091922e1c09b7545b990295df

SHA1
56352432e964325c30941febf2b3fb87414af662

SHA256
7ca3e8278aa53dbef718ac05238d47d3bd0c62cf2c20effaa04be0be3a6c1980

SHA512
b149e5fd985193d18b95882424b42c7706a402f9708df33e5108cd9a8b0cb2f61e01e6584a9850f9b81fc09fad5aeda7a53b225694187037d4c2a50e953e0260

Download Submit
C:\Users\Admin\Desktop\SendRead.wpl

Filesize
254KB

MD5
0e7248a7c5881e1b896e92e54df0587d

SHA1
7159e0d12f6c8af910c79cc7353f7904dee0ae07

SHA256
832dcc7ad513217f9c24b377c341f19509f15a8837803c02b773c8664e87ce67

SHA512
9e5cd365c3f787a3e3a1062983f5e8a0c01f14554cb06e4c8ffffbe5bebc4ff78ec016426752ecdfaa1912e5441ab53d9d3f96664bbb96b522a089edc99faa7f

Download Submit
C:\Users\Admin\Desktop\SetShow.xsl

Filesize
528KB

MD5
38b733b7fff1705d3e63449e812a8945

SHA1
a5efa7ae037986d89a9f3b309819b9f83ca13677

SHA256
9145b2dd09811d7890dd511b1546288978fc9a3924eb2df73bda2f9995aa3a3d

SHA512
eb7f0962ad72b639d8883ad86a92123953391b74b45a91b60a3e49914f19d40bf5b305fa72b854bb69a29decdd19dcb474ed1a9b904462df27ea3c52ed4202e4

Download Submit
C:\Users\Admin\Desktop\ShowLock.docx

Filesize
14KB

MD5
44d80608b57e19349af72dd872b9070a

SHA1
d30e17aaf6ea2293cd615dcfe19ee62f6bb2c2ec

SHA256
da9c7928f273f0513a9d21e2f6f21dc2ca98de2c6781b5091965400f21026232

SHA512
726a43af41c023cef0b314cb3375d2588e1f8940912dd968c82901adf4d8e7cc33062693dc7db176e4fc3e294364308be150f3c9c3318809f2632dc73c829d69

Download Submit
C:\Users\Admin\Desktop\StepSet.easmx

Filesize
567KB

MD5
22cdddee414b9b4c4b05c2323805b806

SHA1
8fadacab6c56d84704c59dbf2d05ff4e45ec6dfc

SHA256
e66fc9858469ae8fb985ac48a7dc5183999918b150a282a32b635c36c58ce982

SHA512
d31893a1078a99962086128c673fb737b059931cb77892e46239a93c2c764e7577ef0dfd60f3775b7ab37cab91b5f5dd502758bc95983358f44d89d6b4c46858

Download Submit
C:\Users\Admin\Desktop\SuspendUnregister.docx

Filesize
16KB

MD5
e236a98302708033f85316b455923751

SHA1
bf12af54cc74e116ea4b50bfb9e5743157c1891a

SHA256
acc56b1cef05cac21938787c60505f3b468588d215cf0b6da82abc4f1762d070

SHA512
d2cb027e955e025226aeaacbeae553e4fb4fc7e0da7c5307e5e833810dd1b12253a084e8cd7039105e776cd59018130e03fd75868fa4b93dbbf2588aaae773d4

Download Submit
C:\Users\Admin\Desktop\SyncCheckpoint.asp

Filesize
391KB

MD5
5054711efeeb7f9f24ec44c8ace5ae00

SHA1
e354fe7d93cc402011530e358d58282205aa9d63

SHA256
ca4c8079e5c80e241d6573b0ef98b647386e8369700e3e9895faa0ddf77b1f30

SHA512
6c99645e4c04ddad17da383fc580e1da5d1620a33591ba0505d90434edcbd1422a54686c443639dc4d3b1a8798daf6557328e2be6c9ff52a0f448931fde7e6e8

Download Submit
C:\Users\Admin\Desktop\UndoNew.mpv2

Filesize
469KB

MD5
2cd44109411264487acc2d443a594727

SHA1
b5ce17a112b278febe9554735de83ed406953ce5

SHA256
5cc22278bf47e47520464938f91996d95e25faeea1e53ee5f3e6c59e4f19668e

SHA512
608d2df4c0a9246dd021a1be92657e03b6423c3590d444391cb2fc46b7ee08f1c532c5baedb63547c9132fe04f9164ad74eb295c71c746071a1e9f5ec25a625c

Download Submit
C:\Users\Admin\Desktop\UpdateSync.xlsb

Filesize
488KB

MD5
bf966811db15f93b4490e028fb5e8baa

SHA1
7f4d121c91a9a4ad18ced667ceff1fde166d6c4e

SHA256
8219c2b0305d45ea289cfb394d51e3c49bd463e86959e913f64e56f7fd74d676

SHA512
3b40035061f1adcb0da2fa80dc692f9ec3b0577692926bc3abd04b164e85e0d36040f6f9dde349a2512edde2b5beeec6fef66b5c2f2f9446848e24dc86cfccfa

Download Submit
memory/1032-7-0x0000000008260000-0x000000000827C000-memory.dmp

Filesize
112KB

Download
memory/1032-0-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/1032-4-0x0000000004EC0000-0x0000000004ECA000-memory.dmp

Filesize
40KB

Download
memory/1032-5-0x0000000074960000-0x0000000075111000-memory.dmp

Filesize
7.7MB

Download
memory/1032-6-0x0000000008690000-0x0000000008BBC000-memory.dmp

Filesize
5.2MB

Download
memory/1032-12-0x0000000074960000-0x0000000075111000-memory.dmp

Filesize
7.7MB

Download
memory/1032-3-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/1032-8-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/1032-9-0x0000000074960000-0x0000000075111000-memory.dmp

Filesize
7.7MB

Download
memory/1032-2-0x00000000055E0000-0x0000000005B86000-memory.dmp

Filesize
5.6MB

Download
memory/1032-10-0x0000000008C10000-0x0000000008C5C000-memory.dmp

Filesize
304KB

Download
memory/1032-1-0x0000000000470000-0x00000000004D0000-memory.dmp

Filesize
384KB

Download
memory/1032-11-0x0000000008D00000-0x0000000008D9C000-memory.dmp

Filesize
624KB

Download