bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
Size

1.5MB
MD5

f80efd731ab68473940b3acf16301189
SHA1

2bbb42b0f20ab39e7d3cfbc69d2f72cbeb4b2e69
SHA256

bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd
SHA512

f1d62d4ac97672a53836e503d22fc956418a17d977bcfb2108cf855a54c22c5450ecc45eeb7b41d0f8b35605467e72cb6b8d3215f6c82784d31da297fd50e96f
SSDEEP

24576:t2lmdLLXUFImaGX7ElsOnzYE+tOKQ/Z6e3ocF0K6q72WCebpB:Q4dLLXVDg7Ef2tlQ/Z6GBF0Kl72WCO

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 17 IoCs

resource	yara_rule
behavioral1/memory/2344-5-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/1668-15-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2344-16-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/1668-17-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2996-18-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/1668-19-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2776-22-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/1668-72-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/1668-98-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/1668-106-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/1668-110-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/1668-115-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/1668-129-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/1668-137-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/1668-141-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/1668-145-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/1668-149-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 20 IoCs

resource	yara_rule
behavioral1/memory/1668-0-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/2344-5-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/files/0x0007000000016544-7.dat	UPX
behavioral1/memory/2996-14-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/1668-15-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/2344-16-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/1668-17-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/2996-18-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/1668-19-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/2776-22-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/1668-72-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/1668-98-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/1668-106-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/1668-110-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/1668-115-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/1668-129-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/1668-137-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/1668-141-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/1668-145-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral1/memory/1668-149-0x0000000000400000-0x000000000041D000-memory.dmp	UPX

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1668-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2344-5-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/files/0x0007000000016544-7.dat	upx
behavioral1/memory/2996-14-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1668-15-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2344-16-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1668-17-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2996-18-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1668-19-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/2776-22-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1668-72-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1668-98-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1668-106-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1668-110-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1668-115-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1668-129-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1668-137-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1668-141-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1668-145-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral1/memory/1668-149-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\O:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\R:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\S:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\E:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\I:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\J:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\N:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\U:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\V:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\X:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\Y:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\G:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\K:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\M:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\H:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\W:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\Z:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\Q:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\T:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\A:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\B:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File opened (read-only)	\??\P:	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian handjob blowjob big sm .mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\System32\DriverStore\Temp\chinese horse hot (!) hole young .mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\SysWOW64\FxsTmp\russian cum masturbation .mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black horse fucking public girly .rar.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\american horse uncut blondie .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\SysWOW64\FxsTmp\asian beast big ìï (Ashley).mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\SysWOW64\config\systemprofile\fucking fucking licking (Liz,Gina).mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\SysWOW64\IME\shared\asian animal handjob big legs wifey .mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\brasilian bukkake blowjob uncut .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\SysWOW64\IME\shared\swedish beastiality fetish catfight redhair .rar.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\british xxx sperm voyeur cock pregnant .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\french action porn lesbian titts mistress .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\swedish fucking fetish masturbation ash .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Program Files (x86)\Google\Update\Download\fucking trambling uncut glans balls .rar.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\asian beastiality catfight glans Œß .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\chinese lesbian [free] femdom .mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Program Files\Windows Journal\Templates\asian lingerie sleeping glans .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\german gang bang nude big bedroom (Melissa,Christine).avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Program Files (x86)\Google\Temp\handjob porn big .mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\british blowjob beastiality hidden YEâPSè& .mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\german sperm gay several models legs mistress .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Program Files\Common Files\Microsoft Shared\sperm kicking licking titts penetration .mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\japanese hardcore voyeur vagina .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\hardcore hidden .rar.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\black sperm lingerie masturbation mistress (Janette).mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\japanese cum trambling big (Sylvia,Anniston).mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\japanese action catfight shoes .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\InstallTemp\tyrkish hardcore horse sleeping .rar.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\canadian cum several models (Tatjana).zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\cum hot (!) ash (Sonja,Janette).mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\beast girls ash .mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\bukkake licking bondage .rar.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\beastiality hidden .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\horse xxx masturbation ejaculation .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\sperm beast masturbation sweet .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\assembly\temp\cum [free] YEâPSè& .mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\assembly\tmp\american trambling catfight nipples .mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\PLA\Templates\lingerie bukkake lesbian fishy (Sandy,Janette).mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\french sperm public titts young .rar.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\lesbian beast voyeur .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\british horse handjob big sm .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\danish hardcore uncut hairy .rar.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\brasilian trambling licking boobs bedroom (Kathrin).mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\tyrkish cumshot bukkake [free] .rar.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\french fetish cum masturbation cock latex .rar.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\chinese fetish catfight .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\tyrkish sperm gay hidden ash femdom .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\action hidden legs lady (Ashley,Sarah).mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\beast xxx uncut ash shoes (Samantha).zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\fetish hardcore hidden hotel (Sandy,Sonja).avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\american animal handjob uncut ìï .mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\security\templates\fucking lingerie hidden .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\japanese cum licking .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\french cumshot beastiality [bangbus] circumcision .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\fucking lesbian (Tatjana).mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\malaysia gay hidden (Sonja,Janette).mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\french blowjob bukkake hot (!) (Janette).mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\Temp\french trambling lesbian [bangbus] .rar.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\british horse beast big stockings (Curtney).mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\french blowjob horse hot (!) .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\brasilian horse big glans 40+ .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\bukkake handjob hot (!) penetration .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\lesbian beast lesbian pregnant .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\spanish lesbian uncut boobs .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\beastiality hardcore voyeur 50+ .mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\german fucking fucking uncut (Gina,Samantha).mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\gang bang gang bang [milf] ash .rar.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\cum xxx voyeur .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\danish action xxx uncut fishy .mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\russian animal licking upskirt (Sylvia,Kathrin).zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\asian blowjob lesbian .mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\spanish cumshot [bangbus] ash traffic .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\african blowjob several models feet latex .mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\malaysia hardcore kicking uncut .mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\SoftwareDistribution\Download\african fetish handjob voyeur (Sonja).mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\swedish fetish sperm several models .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\african cum trambling [bangbus] glans (Melissa).mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\italian lingerie licking .mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\blowjob gang bang catfight traffic .rar.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\black beast cumshot catfight bondage (Gina).avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\fetish beast voyeur blondie .mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\sperm public .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\tyrkish xxx horse lesbian .zip.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\animal horse lesbian cock shoes .mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\gang bang hidden (Karin,Liz).mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\handjob bukkake full movie mistress (Anniston).mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\african cum cum hidden cock .avi.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\kicking [milf] cock .mpg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\porn fetish voyeur 50+ .mpeg.exe	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2776	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2776	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2776	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2776	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2776	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2776	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2776	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2776	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2776	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2776	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2776	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2776	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2776	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2776	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
2996	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2344	1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe	28
PID 1668 wrote to memory of 2344	1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe	28
PID 1668 wrote to memory of 2344	1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe	28
PID 1668 wrote to memory of 2344	1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe	28
PID 2344 wrote to memory of 2996	2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe	29
PID 2344 wrote to memory of 2996	2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe	29
PID 2344 wrote to memory of 2996	2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe	29
PID 2344 wrote to memory of 2996	2344	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe	29
PID 1668 wrote to memory of 2776	1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe	30
PID 1668 wrote to memory of 2776	1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe	30
PID 1668 wrote to memory of 2776	1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe	30
PID 1668 wrote to memory of 2776	1668	bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe	30

C:\Users\Admin\AppData\Local\Temp\bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
"C:\Users\Admin\AppData\Local\Temp\bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
  "C:\Users\Admin\AppData\Local\Temp\bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Users\Admin\AppData\Local\Temp\bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
    "C:\Users\Admin\AppData\Local\Temp\bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2996
- C:\Users\Admin\AppData\Local\Temp\bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe
  "C:\Users\Admin\AppData\Local\Temp\bbd6d7861044abb703ed2d0cd418cbe7d7a9b337b5b80c81b08e98d56a029edd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\german gang bang nude big bedroom (Melissa,Christine).avi.exe

Filesize
695KB

MD5
41c870fc8193cc00021680f67716f296

SHA1
38c534072ee2d7c54e2c239077f29b2eb0905f52

SHA256
8077590bfc8dfc8cd7474e57aa285ac4596cee5377ab446b796a00aa71f42cc7

SHA512
e3b7bc6420686565e2983810bfd61cf9eb7d84f25791c47445026a5d43ae5d8195144800a1d6e363e7f969188abed2cdb582614515a66225d1c416cf6313a885

Download Submit
C:\debug.txt

Filesize
183B

MD5
6da412caf2d2862b1faf1451a8978b17

SHA1
8b0d63d2f7a61f6bc566073e8c507b9ea618e0fb

SHA256
561a6e51cde70545a9763e15063af7e11369dda15d2f63bf78d78b2b1d15d657

SHA512
56aa6733189045f92f5c7283a5bcb0c629644f9f7944bf420afa7b3191d5f3cd141521a2db89afb291cb5c37be8997c84b1591f408216c71af6b3ac837c0382b

Download Submit
memory/1668-110-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1668-98-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1668-149-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1668-145-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1668-15-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1668-141-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1668-17-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1668-137-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1668-19-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1668-129-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1668-72-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1668-4-0x0000000004A60000-0x0000000004A7D000-memory.dmp

Filesize
116KB

Download
memory/1668-106-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1668-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1668-115-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2344-5-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2344-16-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2344-13-0x0000000004900000-0x000000000491D000-memory.dmp

Filesize
116KB

Download
memory/2776-22-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2996-18-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2996-14-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download