ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52

General

Target

ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
Size

930KB
MD5

2587361063e1b8f928f9011242f7ae70
SHA1

e775eebc421666e802d49cb35603576f207a556b
SHA256

ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52
SHA512

d761332d81660a8e7aeaf8d99ff4fd1b5ac298499c208d2ddbc75d561479d1ba6c6073cf72ed8012fe6096526944e51a0cc1b64de11adf7c4aef413cf30c4005
SSDEEP

24576:2W/bl/Ddphp9ZwgzOf+jkCazpmHhDzIo1L0:z/pLrIgzoQkpmBPLZ0

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exead4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe

description	ioc	process
File opened (read-only)	\??\U:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\Z:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\G:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\M:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\T:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\O:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\S:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\Y:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\B:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\E:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\K:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\L:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\Q:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\R:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\F:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\I:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\J:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\P:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\V:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\W:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\X:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\A:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\H:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File opened (read-only)	\??\N:	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe

Drops file in Program Files directory 17 IoCs

Processes:

ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\tyrkish nude hardcore full movie bedroom .avi.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files (x86)\Google\Update\Download\tyrkish kicking blowjob sleeping redhair .mpg.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\danish handjob blowjob several models latex .zip.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\british blowjob catfight (Curtney).avi.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\american beastiality horse hidden cock 40+ .zip.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\danish fetish gay full movie feet castration .zip.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files (x86)\Microsoft\Temp\xxx several models cock .rar.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files\Common Files\microsoft shared\beast full movie .avi.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\fucking [free] titts .zip.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\xxx lesbian granny .rar.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files (x86)\Google\Temp\fucking masturbation titts bondage (Melissa).zip.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files\Microsoft Office\root\Templates\american porn hardcore licking hole (Gina,Samantha).avi.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\italian gang bang hardcore masturbation glans 50+ (Curtney).mpeg.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\american action fucking full movie boots .zip.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\american gang bang blowjob masturbation pregnant (Britney,Jade).zip.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\trambling hidden .avi.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\black action beast sleeping (Tatjana).rar.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe

Drops file in Windows directory 14 IoCs

Processes:

ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe

description	ioc	process
File created	C:\Windows\mssrv.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\tyrkish fetish trambling masturbation mature .mpg.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Windows\InputMethod\SHARED\tyrkish action fucking sleeping granny .avi.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\danish action lesbian hidden .zip.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Windows\assembly\tmp\japanese action horse full movie hole black hairunshaved .rar.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Windows\Downloaded Program Files\japanese nude lingerie catfight leather (Jenna,Liz).mpeg.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\gay [milf] feet .avi.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\sperm catfight .mpg.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\indian nude hardcore hot (!) cock boots (Melissa).avi.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Windows\CbsTemp\bukkake voyeur circumcision .zip.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\danish nude xxx uncut hole blondie .rar.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Windows\assembly\temp\japanese beastiality lingerie [milf] ash (Anniston,Sylvia).zip.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\hardcore several models titts upskirt (Karin).zip.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\danish gang bang sperm licking feet .mpg.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exead4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exead4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exead4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe

pid	process
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4880	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4880	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4880	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4880	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4880	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4880	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4880	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4880	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4880	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4880	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4880	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4880	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4880	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4880	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
4436	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exead4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe

description	pid	process	target process
PID 4316 wrote to memory of 1836	4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
PID 4316 wrote to memory of 1836	4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
PID 4316 wrote to memory of 1836	4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
PID 4316 wrote to memory of 4436	4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
PID 4316 wrote to memory of 4436	4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
PID 4316 wrote to memory of 4436	4316	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
PID 1836 wrote to memory of 4880	1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
PID 1836 wrote to memory of 4880	1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
PID 1836 wrote to memory of 4880	1836	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe	ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe

C:\Users\Admin\AppData\Local\Temp\ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
"C:\Users\Admin\AppData\Local\Temp\ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4316

C:\Users\Admin\AppData\Local\Temp\ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
"C:\Users\Admin\AppData\Local\Temp\ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
"C:\Users\Admin\AppData\Local\Temp\ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4880

C:\Users\Admin\AppData\Local\Temp\ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe
"C:\Users\Admin\AppData\Local\Temp\ad4483050a52e29f283dab4a5bb011bdc56944be87090c43e92348967f7c9e52.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436