5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 20:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
Size

320KB
MD5

4fde9e74a56499d6fba1abd6f043ae34
SHA1

b6e151fad25a07b7618648bd9a2812d0b8ed8d66
SHA256

5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c
SHA512

3ce6c4059abed497b0fb53cc6e0c3e09cd1d20dfba0fd29aa800e864ebbf5e81d8b8e2013867c9acc8d5a1d94774c10ebef10f731ef95330ec3246a2c8e7b26a
SSDEEP

6144:gjluQoS3Io5ROk0Cl9E1a5QWXoSiXL4MOVe7BJXeMu5R3Yo3k2:gEQoShykll9E1a5/XopXMQ7DeMuc4k2

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 20 IoCs

resource	yara_rule
behavioral1/memory/2188-19-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2692-55-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-87-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2188-88-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-89-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2552-90-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2692-91-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-93-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-98-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-102-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-116-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-120-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-124-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-128-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-134-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-138-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-142-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-146-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-150-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2004-154-0x0000000000400000-0x0000000000420000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 23 IoCs

resource	yara_rule
behavioral1/memory/2004-0-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/files/0x000a000000015364-5.dat	UPX
behavioral1/memory/2188-19-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2552-54-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2692-55-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-87-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2188-88-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-89-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2552-90-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2692-91-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-93-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-98-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-102-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-116-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-120-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-124-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-128-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-134-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-138-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-142-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-146-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-150-0x0000000000400000-0x0000000000420000-memory.dmp	UPX
behavioral1/memory/2004-154-0x0000000000400000-0x0000000000420000-memory.dmp	UPX

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2004-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/files/0x000a000000015364-5.dat	upx
behavioral1/memory/2188-19-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2552-54-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2692-55-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-87-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2188-88-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-89-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2552-90-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2692-91-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-93-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-98-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-102-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-116-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-120-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-124-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-128-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-134-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-138-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-142-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-146-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-150-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2004-154-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\A:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\G:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\I:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\Q:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\T:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\E:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\K:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\L:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\M:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\N:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\R:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\S:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\X:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\P:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\V:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\W:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\Y:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\B:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\H:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\J:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\O:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File opened (read-only)	\??\Z:	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\sperm hot (!) gorgeoushorny .rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\System32\DriverStore\Temp\swedish action lesbian nipples (Sonja).avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\SysWOW64\config\systemprofile\american gay hot (!) latex .rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian blowjob hidden penetration (Sylvia).zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\SysWOW64\IME\shared\blowjob porn licking sm .avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\SysWOW64\config\systemprofile\french gay [bangbus] bedroom (Gina).avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\SysWOW64\FxsTmp\danish trambling trambling hot (!) girly .mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\SysWOW64\IME\shared\malaysia cum big titts mature .mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\lesbian lingerie full movie (Kathrin,Sonja).avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\SysWOW64\FxsTmp\malaysia horse blowjob public cock fishy .mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\beast uncut bedroom (Anniston,Sandy).mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\russian cum horse catfight YEâPSè& .zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\asian fetish licking vagina sm .avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\chinese blowjob masturbation .mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\german cum handjob lesbian penetration (Sylvia).rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\british cumshot beastiality uncut swallow .rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\bukkake animal catfight legs .avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Program Files\Windows Journal\Templates\horse xxx uncut cock black hairunshaved .zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\african sperm big titts 50+ .mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\british beastiality public .rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\asian nude sleeping bondage (Liz,Kathrin).zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Program Files\DVD Maker\Shared\beast bukkake [bangbus] penetration (Sylvia,Samantha).mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Program Files (x86)\Google\Update\Download\chinese blowjob hidden redhair (Kathrin,Curtney).mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\danish horse handjob catfight ash gorgeoushorny .mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Program Files (x86)\Google\Temp\asian kicking cumshot full movie .avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\spanish porn gang bang [bangbus] feet girly .mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\lingerie xxx uncut (Janette).zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\SoftwareDistribution\Download\lingerie cum masturbation legs fishy .avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\danish gay bukkake hot (!) glans blondie .rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\security\templates\asian blowjob hidden .mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\indian sperm catfight hole .zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\canadian gang bang horse [free] high heels (Gina).mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\russian lesbian fetish big young .zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\xxx public .zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\black xxx several models girly (Sonja).mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\hardcore lesbian masturbation wifey .mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\norwegian blowjob action catfight bedroom .rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\lesbian catfight 50+ (Sylvia).mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\nude [bangbus] ìï .mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\spanish lingerie several models .avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\danish hardcore lesbian titts .avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\assembly\temp\american bukkake animal several models cock bondage .rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\xxx public circumcision (Anniston).avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\russian beastiality big ash upskirt (Kathrin,Anniston).rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\italian nude hot (!) (Kathrin).mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\italian lesbian lingerie [free] .zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\brasilian trambling horse big (Kathrin).mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\malaysia nude lesbian big feet .mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\african blowjob kicking licking balls .avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\porn full movie lady .rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\canadian fetish hot (!) (Melissa).zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\fucking uncut swallow .rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\cum [milf] ejaculation .rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\chinese cumshot big boots (Sarah).mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\chinese beast licking sweet (Christine).zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\italian porn fucking sleeping .rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\french action sleeping .mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\lesbian several models nipples (Janette,Gina).mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\kicking hardcore catfight .mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\nude bukkake several models ìï .mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\canadian lingerie big 40+ (Melissa).zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\xxx masturbation .avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\japanese hardcore [bangbus] swallow (Ashley,Gina).avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\indian action nude hot (!) .rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\horse [bangbus] YEâPSè& .avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\Downloaded Program Files\japanese action beastiality licking boobs .avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\horse licking titts penetration (Kathrin).mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\trambling sleeping .mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\norwegian bukkake lesbian girls glans circumcision .mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\malaysia xxx [milf] vagina shower .mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\african animal action [bangbus] .zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\german handjob hardcore big ejaculation .mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\lingerie blowjob big .mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\swedish cum porn lesbian .rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\fetish porn masturbation 40+ (Sonja,Sarah).zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\horse big boobs boots .rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\malaysia lingerie [milf] ash .mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\italian xxx [bangbus] (Samantha,Britney).rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\assembly\tmp\trambling trambling girls glans .mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\tyrkish horse big girly .mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\bukkake uncut gorgeoushorny .mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\french fetish beastiality masturbation legs (Christine,Jade).rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\gang bang public wifey .mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\russian animal uncut ash balls .mpeg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\bukkake cum lesbian feet (Kathrin).rar.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\Temp\chinese blowjob kicking big boots .zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\japanese action porn big feet .mpg.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\canadian action sleeping .avi.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\swedish hardcore cumshot voyeur legs fishy .zip.exe	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2552	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2692	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2188	2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe	28
PID 2004 wrote to memory of 2188	2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe	28
PID 2004 wrote to memory of 2188	2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe	28
PID 2004 wrote to memory of 2188	2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe	28
PID 2188 wrote to memory of 2552	2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe	29
PID 2188 wrote to memory of 2552	2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe	29
PID 2188 wrote to memory of 2552	2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe	29
PID 2188 wrote to memory of 2552	2188	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe	29
PID 2004 wrote to memory of 2692	2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe	30
PID 2004 wrote to memory of 2692	2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe	30
PID 2004 wrote to memory of 2692	2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe	30
PID 2004 wrote to memory of 2692	2004	5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe	30

C:\Users\Admin\AppData\Local\Temp\5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
"C:\Users\Admin\AppData\Local\Temp\5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
  "C:\Users\Admin\AppData\Local\Temp\5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Users\Admin\AppData\Local\Temp\5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
    "C:\Users\Admin\AppData\Local\Temp\5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2552
- C:\Users\Admin\AppData\Local\Temp\5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe
  "C:\Users\Admin\AppData\Local\Temp\5b103d26ce2c3096df29270ced76c265bb3df8ad3da96973544deb4deec19d0c.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\african sperm big titts 50+ .mpg.exe

Filesize
883KB

MD5
f3fe023f87abdcf28c7a41b4c035745f

SHA1
04dc7fd94981d5521d15a57ebf76f746259d3677

SHA256
ebc3d36e77ecd09b6a4534557d1f65800f1cfefbaa45360159296e0cc98f0a78

SHA512
3d4114481052d6989793c6da3d3c2d72ae317946a51bc20ddda3d4d28ea5b283e2956cb06b1f23129ea0ef5f76873362d1d2c38c2725af338365e25e40e256c7

Download Submit
memory/2004-124-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-134-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-154-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-150-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-146-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-98-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-87-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-89-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-102-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-128-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-92-0x0000000004A90000-0x0000000004AB0000-memory.dmp

Filesize
128KB

Download
memory/2004-17-0x0000000004A90000-0x0000000004AB0000-memory.dmp

Filesize
128KB

Download
memory/2004-142-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-93-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-116-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-120-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2004-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-88-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2188-53-0x00000000047C0000-0x00000000047E0000-memory.dmp

Filesize
128KB

Download
memory/2188-19-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2552-90-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2552-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2692-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2692-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download