8c7975ecdb7c7b8217ccf5bf3cb1fe7f578d50cf4b3943ea1edb73e3618f6b3a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6bbfd398f19f9854e73140f7d699c28b.exe
Size

428KB
MD5

6bbfd398f19f9854e73140f7d699c28b
SHA1

368ebe5c13d7804c83272d87a28335723a9056da
SHA256

8c7975ecdb7c7b8217ccf5bf3cb1fe7f578d50cf4b3943ea1edb73e3618f6b3a
SHA512

1eb97d951613d0de82bc570d540208f5af61e80ee8e7b3162629b6e579f3597ae2d8eb6d99d7396da1740e2b79f32d4a283554c8542b8e7a71d7a11aa21d3ec9
SSDEEP

12288:sPKLXq7w/g7Ib/f00hn4438PENJJvZBo5:sSLOIE+4WiENrZK

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	6bbfd398f19f9854e73140f7d699c28b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	6bbfd398f19f9854e73140f7d699c28b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4828-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0007000000023238-5.dat	upx
behavioral2/memory/3136-123-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4488-168-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3480-169-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4828-194-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3136-200-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4488-201-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3480-202-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	6bbfd398f19f9854e73140f7d699c28b.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\J:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\V:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\Y:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\A:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\G:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\K:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\L:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\X:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\U:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\Z:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\M:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\P:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\Q:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\S:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\T:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\R:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\W:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\B:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\H:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\I:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\N:	6bbfd398f19f9854e73140f7d699c28b.exe
File opened (read-only)	\??\O:	6bbfd398f19f9854e73140f7d699c28b.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\asian xxx [bangbus] hairy (Melissa).mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\hardcore uncut .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\brasilian fetish lesbian licking .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\french lingerie voyeur ash .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish kicking [milf] circumcision .rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\trambling voyeur (Liz).rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\SysWOW64\config\systemprofile\african porn gang bang girls .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish gay big boots .mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\SysWOW64\IME\SHARED\brasilian gay licking (Melissa,Jenna).rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\SysWOW64\FxsTmp\swedish handjob public circumcision (Melissa).mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\SysWOW64\IME\SHARED\canadian hardcore blowjob full movie .avi.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\cumshot girls circumcision .mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\brasilian hardcore kicking licking .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\gay full movie feet blondie .avi.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\cum several models glans .rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\russian gay blowjob [free] cock upskirt (Samantha,Karin).mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\malaysia action nude [free] (Kathrin).rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\handjob [free] .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files\dotnet\shared\spanish beast masturbation lady (Ashley,Britney).zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files (x86)\Google\Update\Download\nude public .mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\american porn [bangbus] vagina (Ashley).zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\xxx animal [bangbus] (Liz).mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\lesbian lesbian lesbian hole (Christine,Gina).mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files (x86)\Google\Temp\spanish kicking public glans (Anniston,Gina).rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files\Microsoft Office\root\Templates\beastiality full movie ash (Gina).avi.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\animal masturbation high heels .rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\cum several models boots .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\beast animal sleeping .avi.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\italian trambling beastiality [milf] 50+ .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Program Files (x86)\Microsoft\Temp\lingerie action masturbation blondie .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\american horse hardcore lesbian ash .rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\blowjob voyeur YEâPSè& (Samantha,Ashley).mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\blowjob fucking uncut (Ashley).zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\black gang bang horse girls YEâPSè& (Samantha,Karin).rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\spanish kicking hot (!) leather .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\japanese fetish masturbation hole fishy (Sonja).avi.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\russian lesbian full movie .avi.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\swedish gay fucking [free] titts beautyfull .mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\spanish action voyeur hotel .mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\black fetish several models titts sweet (Melissa,Curtney).rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\american blowjob public high heels .avi.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\sperm [bangbus] boobs granny (Liz,Sylvia).mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\mssrv.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\american trambling catfight .mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\malaysia trambling gay uncut ash .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\nude big feet .avi.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\german kicking beastiality hot (!) nipples .mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\tyrkish gay public .mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\cumshot uncut (Jenna,Curtney).mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\canadian cum catfight .mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\canadian hardcore porn voyeur latex .mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\japanese handjob [bangbus] leather .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\SoftwareDistribution\Download\canadian blowjob trambling lesbian cock (Jade,Britney).rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\trambling several models (Sylvia,Melissa).mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\xxx cumshot [bangbus] hairy .mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\tyrkish lesbian several models (Sylvia,Britney).mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\bukkake bukkake [bangbus] femdom (Sylvia).avi.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\asian beast bukkake girls black hairunshaved .rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\tyrkish fetish beast uncut .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\indian xxx hardcore [free] hotel .mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\malaysia hardcore porn [free] ash lady (Anniston).mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\american horse handjob masturbation vagina balls (Christine).mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\beastiality gay [bangbus] .avi.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\trambling full movie .rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\swedish gay hot (!) 40+ (Sandy,Sonja).zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\brasilian hardcore [milf] ash .mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\spanish animal masturbation .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\russian xxx sleeping young (Curtney,Jenna).zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca03036af4a5017e\fucking lesbian licking cock shoes .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\trambling porn catfight stockings .rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\danish blowjob xxx masturbation boobs balls .mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\norwegian beastiality horse catfight legs .mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\brasilian sperm blowjob full movie pregnant .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\beast [milf] vagina .mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\action sleeping bondage .mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\norwegian fetish fetish [milf] hole .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\norwegian hardcore nude lesbian (Tatjana).mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\russian gay blowjob masturbation penetration .mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\norwegian fucking sleeping boobs (Ashley).rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\japanese cum handjob uncut .mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\asian xxx hot (!) feet shoes (Anniston,Jenna).mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\chinese gang bang uncut wifey (Sarah).zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\russian beast lesbian .mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_en-us_8dd6053a0a5910eb\italian porn voyeur shower (Liz).zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\indian nude uncut bedroom (Liz).mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\cum sleeping (Ashley).mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\french lesbian voyeur .mpeg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\italian fetish lesbian gorgeoushorny .mpg.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\tyrkish kicking big titts circumcision .rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\chinese sperm porn uncut legs .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\danish lingerie [bangbus] boobs young .rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\trambling gay big legs .zip.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\german lingerie trambling lesbian .rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\canadian beastiality porn catfight .rar.exe	6bbfd398f19f9854e73140f7d699c28b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4828	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
4488	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
4488	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
4488	6bbfd398f19f9854e73140f7d699c28b.exe
4488	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
4488	6bbfd398f19f9854e73140f7d699c28b.exe
4488	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
4488	6bbfd398f19f9854e73140f7d699c28b.exe
4488	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
4488	6bbfd398f19f9854e73140f7d699c28b.exe
4488	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
4488	6bbfd398f19f9854e73140f7d699c28b.exe
4488	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
4488	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
4828	6bbfd398f19f9854e73140f7d699c28b.exe
4488	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
3136	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe
3480	6bbfd398f19f9854e73140f7d699c28b.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 3136	4828	6bbfd398f19f9854e73140f7d699c28b.exe	88
PID 4828 wrote to memory of 3136	4828	6bbfd398f19f9854e73140f7d699c28b.exe	88
PID 4828 wrote to memory of 3136	4828	6bbfd398f19f9854e73140f7d699c28b.exe	88
PID 4828 wrote to memory of 4488	4828	6bbfd398f19f9854e73140f7d699c28b.exe	93
PID 4828 wrote to memory of 4488	4828	6bbfd398f19f9854e73140f7d699c28b.exe	93
PID 4828 wrote to memory of 4488	4828	6bbfd398f19f9854e73140f7d699c28b.exe	93
PID 3136 wrote to memory of 3480	3136	6bbfd398f19f9854e73140f7d699c28b.exe	94
PID 3136 wrote to memory of 3480	3136	6bbfd398f19f9854e73140f7d699c28b.exe	94
PID 3136 wrote to memory of 3480	3136	6bbfd398f19f9854e73140f7d699c28b.exe	94

C:\Users\Admin\AppData\Local\Temp\6bbfd398f19f9854e73140f7d699c28b.exe
"C:\Users\Admin\AppData\Local\Temp\6bbfd398f19f9854e73140f7d699c28b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\6bbfd398f19f9854e73140f7d699c28b.exe
  "C:\Users\Admin\AppData\Local\Temp\6bbfd398f19f9854e73140f7d699c28b.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Users\Admin\AppData\Local\Temp\6bbfd398f19f9854e73140f7d699c28b.exe
    "C:\Users\Admin\AppData\Local\Temp\6bbfd398f19f9854e73140f7d699c28b.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3480
- C:\Users\Admin\AppData\Local\Temp\6bbfd398f19f9854e73140f7d699c28b.exe
  "C:\Users\Admin\AppData\Local\Temp\6bbfd398f19f9854e73140f7d699c28b.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\gay full movie feet blondie .avi.exe

Filesize
656KB

MD5
7fa12b1e12ba1473952b0bbde9e3af4c

SHA1
cecfe0d860b76a05f822077e72b6eb03ef161e77

SHA256
bb5eb4d6a6a36f70cd10c5a2211988c36c3d6eccbdaadeea8198cb21ce8acd44

SHA512
9f05d53df92bacd416dad890e9b27c4358793acd7bc3c0472e4fe7165bf2fbd74f1bcff140ce410890444f89659e54b06af9dbf8345b387da13675f1a3ab7221

Download Submit
memory/3136-123-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3136-200-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3480-169-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3480-202-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4488-168-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4488-201-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4828-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4828-194-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download