ff740d602a59980248da3422c4dee6e682cafc00e86a9099584df92c32f63ce2

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6e3f98be3d0ee945dc79034cad75bf7.exe
Size

87KB
MD5

c6e3f98be3d0ee945dc79034cad75bf7
SHA1

9aee97dbc2c2c5ef7ef0f8ef17026285ac4dba60
SHA256

ff740d602a59980248da3422c4dee6e682cafc00e86a9099584df92c32f63ce2
SHA512

6c416bd2c308a62e0d13d42e0815a1767dbe4a5f68e4448599502226d15f1357065c544ac97e41ad1fe6edd31c7f0a2d88bc944bb0e6192e7666b39dcfd19ab4
SSDEEP

768:Yr1VCwireKp2dlZ8yL6RsibZF34LT1AquKKMQifgvYnbcuyD7URYNcwpP+ebu:YRVCaKgzbLc54hukfgvYnouy8RmcwVxy

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2020-0-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/files/0x0007000000016c20-5.dat	upx
behavioral1/memory/2808-8-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2684-46-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-49-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2808-50-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2684-52-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-53-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2488-55-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-61-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-91-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-95-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-107-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-112-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-116-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-120-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-124-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-138-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-142-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-146-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-150-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2020-154-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	c6e3f98be3d0ee945dc79034cad75bf7.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\H:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\M:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\R:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\U:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\X:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\E:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\G:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\J:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\N:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\Q:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\Y:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\B:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\L:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\O:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\S:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\T:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\V:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\W:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\I:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\K:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\P:	c6e3f98be3d0ee945dc79034cad75bf7.exe
File opened (read-only)	\??\Z:	c6e3f98be3d0ee945dc79034cad75bf7.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\hardcore lesbian pregnant .mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\bukkake big hotel (Jenna,Liz).zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\System32\DriverStore\Temp\indian cumshot beast big redhair .mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\SysWOW64\FxsTmp\japanese porn xxx catfight beautyfull (Jenna,Liz).zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\SysWOW64\IME\shared\american porn bukkake several models (Liz).avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\danish action lingerie [milf] cock .mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish cum xxx full movie circumcision (Sandy,Tatjana).zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\italian animal trambling big ejaculation .zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\bukkake big (Melissa).zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\SysWOW64\IME\shared\blowjob licking penetration .avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\gay several models glans .mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\fucking [milf] .rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Program Files (x86)\Google\Update\Download\danish cum horse [free] pregnant .mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\russian fetish lingerie lesbian sm .rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\american handjob gay public .rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\tyrkish cum bukkake uncut boots .rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Program Files\Windows Journal\Templates\kicking xxx several models hole femdom (Liz).mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\trambling uncut hole balls .mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\lingerie voyeur stockings .mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\trambling girls .mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\swedish nude fucking sleeping shower .zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Program Files\DVD Maker\Shared\sperm catfight hole YEâPSè& .avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\japanese horse xxx hidden cock hotel (Jade).zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Program Files (x86)\Google\Temp\xxx public .mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\brasilian beastiality sperm [milf] ejaculation .mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\kicking trambling [free] .zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\american animal bukkake full movie young .mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\lingerie girls 50+ (Ashley,Curtney).zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\kicking lingerie [bangbus] (Jade).rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\cum xxx several models lady .mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\japanese gang bang hardcore catfight .avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\lesbian voyeur .rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\swedish fetish beast catfight bondage .rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\horse lesbian voyeur circumcision .rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\british lingerie full movie lady .mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\lesbian masturbation glans mature .mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\kicking lingerie public leather .zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\indian nude hardcore several models cock shower (Jade).mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\PLA\Templates\hardcore [free] hole (Jenna,Janette).mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\cum blowjob lesbian (Tatjana).zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\gang bang horse sleeping .avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\handjob xxx girls hole YEâPSè& (Liz).rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\american cum blowjob uncut glans girly .rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\british beast voyeur .zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\canadian blowjob [milf] feet beautyfull (Sylvia).mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\nude bukkake sleeping cock granny .mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\tyrkish cum trambling masturbation (Melissa).mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\french beast catfight .zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\horse horse [milf] titts hotel .zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\chinese trambling voyeur penetration .mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\fucking masturbation titts .zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\porn gay full movie girly .rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\black beastiality fucking licking hole .mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\beast public .zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\beast lesbian titts bondage (Karin).avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\african horse catfight .avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\italian gang bang lingerie [bangbus] redhair (Kathrin,Jade).rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\american gang bang xxx hidden titts .avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\chinese sperm full movie glans .mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\malaysia blowjob big hole ejaculation (Sarah).mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\black beastiality horse hot (!) fishy .zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\beast catfight boots .mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\japanese porn lingerie uncut sweet .mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\lingerie catfight feet .zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\SoftwareDistribution\Download\indian cum fucking hot (!) .zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\tyrkish handjob lingerie several models .rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\nude xxx full movie (Janette).avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\cumshot fucking hidden glans girly .rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\german bukkake [bangbus] (Sylvia).mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\mssrv.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\brasilian horse lesbian girls hole 40+ (Sylvia).zip.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\security\templates\black action beast several models titts .avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\swedish porn fucking uncut feet wifey .mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\tyrkish nude hardcore masturbation (Curtney).rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\brasilian kicking hardcore public penetration .mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\lingerie [milf] femdom (Gina,Sylvia).avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\british trambling hot (!) glans lady .avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\bukkake masturbation leather .avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\handjob gay girls cock bedroom .avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\Temp\indian porn trambling masturbation cock gorgeoushorny .rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\chinese trambling licking castration .rar.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\horse trambling uncut .mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\hardcore [bangbus] .mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\lesbian sleeping cock bedroom (Liz).mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\InstallTemp\spanish gay public (Samantha).avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\japanese animal beast big beautyfull .avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\russian beastiality hardcore uncut ash .avi.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\russian cum hardcore hot (!) glans .mpeg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\black nude lesbian public YEâPSè& .mpg.exe	c6e3f98be3d0ee945dc79034cad75bf7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe
2684	c6e3f98be3d0ee945dc79034cad75bf7.exe
2488	c6e3f98be3d0ee945dc79034cad75bf7.exe
2020	c6e3f98be3d0ee945dc79034cad75bf7.exe
2808	c6e3f98be3d0ee945dc79034cad75bf7.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2808	2020	c6e3f98be3d0ee945dc79034cad75bf7.exe	28
PID 2020 wrote to memory of 2808	2020	c6e3f98be3d0ee945dc79034cad75bf7.exe	28
PID 2020 wrote to memory of 2808	2020	c6e3f98be3d0ee945dc79034cad75bf7.exe	28
PID 2020 wrote to memory of 2808	2020	c6e3f98be3d0ee945dc79034cad75bf7.exe	28
PID 2808 wrote to memory of 2684	2808	c6e3f98be3d0ee945dc79034cad75bf7.exe	29
PID 2808 wrote to memory of 2684	2808	c6e3f98be3d0ee945dc79034cad75bf7.exe	29
PID 2808 wrote to memory of 2684	2808	c6e3f98be3d0ee945dc79034cad75bf7.exe	29
PID 2808 wrote to memory of 2684	2808	c6e3f98be3d0ee945dc79034cad75bf7.exe	29
PID 2020 wrote to memory of 2488	2020	c6e3f98be3d0ee945dc79034cad75bf7.exe	30
PID 2020 wrote to memory of 2488	2020	c6e3f98be3d0ee945dc79034cad75bf7.exe	30
PID 2020 wrote to memory of 2488	2020	c6e3f98be3d0ee945dc79034cad75bf7.exe	30
PID 2020 wrote to memory of 2488	2020	c6e3f98be3d0ee945dc79034cad75bf7.exe	30

C:\Users\Admin\AppData\Local\Temp\c6e3f98be3d0ee945dc79034cad75bf7.exe
"C:\Users\Admin\AppData\Local\Temp\c6e3f98be3d0ee945dc79034cad75bf7.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\c6e3f98be3d0ee945dc79034cad75bf7.exe
  "C:\Users\Admin\AppData\Local\Temp\c6e3f98be3d0ee945dc79034cad75bf7.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\c6e3f98be3d0ee945dc79034cad75bf7.exe
    "C:\Users\Admin\AppData\Local\Temp\c6e3f98be3d0ee945dc79034cad75bf7.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\c6e3f98be3d0ee945dc79034cad75bf7.exe
  "C:\Users\Admin\AppData\Local\Temp\c6e3f98be3d0ee945dc79034cad75bf7.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\trambling uncut hole balls .mpeg.exe

Filesize
1.3MB

MD5
bd2539ece025ed578cbbf4a1543d9988

SHA1
b1484b351609862ae619fe61e5c646fa4f048393

SHA256
3762337aba9e22be2472b975e400cc3d3c0faf5d1fd528c0b886427fb8d54635

SHA512
4710baafddf7f1561a6c33081602d4ec23d72671121fceb0121149fafaed4a7599632e48aeb36f9673b9d28e078d5033be2825b667b70a6e32d676f4641c26d8

Download Submit
memory/2020-120-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-154-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-150-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-49-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-146-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-90-0x0000000004D90000-0x0000000004DB0000-memory.dmp

Filesize
128KB

Download
memory/2020-53-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-142-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-56-0x0000000005040000-0x0000000005060000-memory.dmp

Filesize
128KB

Download
memory/2020-7-0x0000000005040000-0x0000000005060000-memory.dmp

Filesize
128KB

Download
memory/2020-138-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-116-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-95-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-107-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-112-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-61-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2020-124-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2488-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2684-52-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2684-46-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2808-50-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2808-8-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download