2ed254b5987bfd98a5c7b79e9fdaa7328bd3923f8a89dcdbff6e52f90ff1afe6

Analysis

max time kernel
264s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 23:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d10fa55c61efdfea8a5e609fd7d24c0e.exe
Size

1.4MB
MD5

d10fa55c61efdfea8a5e609fd7d24c0e
SHA1

541f15f049a3aa8f75bad1569875b0743472cdad
SHA256

2ed254b5987bfd98a5c7b79e9fdaa7328bd3923f8a89dcdbff6e52f90ff1afe6
SHA512

e147bd2f2355f1cdf69c246491378f2de139cd9de50d9869fc8d515f4567ef17ffc3de37fc8a6513357f0c0c1ad4b562092f64328e9371d0267542858a45f0ec
SSDEEP

24576:lq8cRMbi/MdQ6gjmQCn3MxJ5TNap2smazKMyMQ44fMpUcVGphZrTbL:02bdl0gGxILem4EpUc4jBbL

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	d10fa55c61efdfea8a5e609fd7d24c0e.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\I:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\P:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\B:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\J:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\S:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\T:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\U:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\W:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\X:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\E:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\H:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\K:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\Q:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\R:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\V:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\A:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\L:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\M:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\N:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\O:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\Y:	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File opened (read-only)	\??\Z:	d10fa55c61efdfea8a5e609fd7d24c0e.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish horse trambling [milf] cock .avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\SysWOW64\IME\shared\russian gang bang hardcore uncut black hairunshaved .mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\fucking [free] hotel .mpeg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\System32\DriverStore\Temp\bukkake [milf] glans latex (Tatjana).mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\blowjob voyeur .avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\swedish horse trambling several models (Sarah).avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish action hardcore girls .avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\SysWOW64\config\systemprofile\canadian lesbian licking YEâPSè& .rar.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\SysWOW64\FxsTmp\nude beast several models feet sweet .rar.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\SysWOW64\IME\shared\xxx hidden (Janette).zip.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\Templates\gay sleeping high heels (Sonja,Sylvia).rar.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\gay licking cock penetration .zip.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\fucking sleeping glans shoes (Melissa).mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lesbian [bangbus] .zip.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\fucking sleeping .zip.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Program Files (x86)\Google\Temp\bukkake public titts .mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Program Files (x86)\Google\Update\Download\japanese cumshot beast catfight granny .zip.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\beast hidden glans bedroom .zip.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Program Files\DVD Maker\Shared\tyrkish horse lesbian full movie (Sylvia).rar.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\gay sleeping titts .mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\swedish porn beast licking (Liz).avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\tyrkish gang bang beast several models hole .zip.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\japanese horse gay sleeping titts black hairunshaved .avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\lesbian girls stockings .mpeg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\italian handjob gay voyeur .avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe

Drops file in Windows directory 50 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\german lingerie masturbation titts hotel (Sarah).rar.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\black gang bang trambling licking beautyfull .mpeg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\hardcore public (Jade).avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\lingerie girls cock (Jenna,Tatjana).zip.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\handjob xxx masturbation titts beautyfull .mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\canadian beast girls feet .avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\danish fetish xxx licking girly .mpeg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian porn lesbian full movie (Melissa).avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\american nude hardcore [bangbus] lady .avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\indian kicking fucking [free] .zip.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\xxx sleeping feet lady .mpeg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\black beastiality horse [milf] titts .avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\tyrkish kicking sperm licking (Karin).avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\sperm full movie feet blondie .avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\xxx licking (Karin).mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\SoftwareDistribution\Download\beast lesbian ìï (Jenna,Melissa).avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\indian cum gay lesbian titts femdom (Samantha).rar.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\gang bang gay [bangbus] .avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\mssrv.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\russian gang bang hardcore girls titts .zip.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\swedish cum bukkake sleeping titts upskirt .mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\security\templates\horse lesbian latex .avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\lingerie uncut latex .rar.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\handjob beast [bangbus] balls .mpeg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\tyrkish action trambling big glans .rar.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\british sperm hot (!) (Liz).rar.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\indian cum lingerie uncut .rar.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\blowjob lesbian glans .avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\fucking public redhair .zip.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\Downloaded Program Files\japanese porn fucking [free] boots (Anniston,Curtney).mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\black gang bang hardcore public hole wifey (Sylvia).avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\tyrkish cumshot blowjob public .zip.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\chinese trambling uncut feet sm .zip.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\danish action hardcore big hole traffic (Karin).rar.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\tmp\beast big .rar.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\blowjob hidden feet redhair (Sylvia).mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\horse lesbian several models feet black hairunshaved .mpeg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\canadian trambling big boots .mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\black gang bang sperm girls feet .avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\danish gang bang hardcore [milf] feet .mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\american horse bukkake licking sm .mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\african blowjob catfight cock (Britney,Janette).mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\russian porn trambling hidden .avi.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\temp\bukkake uncut .mpeg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\black cumshot horse girls feet (Sonja,Melissa).rar.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\american handjob xxx full movie castration .rar.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\PLA\Templates\swedish horse horse [bangbus] beautyfull .mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\russian animal lesbian masturbation .mpeg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\japanese porn hardcore girls bedroom .zip.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\asian xxx hidden (Sarah).mpg.exe	d10fa55c61efdfea8a5e609fd7d24c0e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1268	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe
1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe
2516	d10fa55c61efdfea8a5e609fd7d24c0e.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1828	2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe	27
PID 2456 wrote to memory of 1828	2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe	27
PID 2456 wrote to memory of 1828	2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe	27
PID 2456 wrote to memory of 1828	2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe	27
PID 2456 wrote to memory of 2516	2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe	28
PID 2456 wrote to memory of 2516	2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe	28
PID 2456 wrote to memory of 2516	2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe	28
PID 2456 wrote to memory of 2516	2456	d10fa55c61efdfea8a5e609fd7d24c0e.exe	28
PID 1828 wrote to memory of 1268	1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe	29
PID 1828 wrote to memory of 1268	1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe	29
PID 1828 wrote to memory of 1268	1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe	29
PID 1828 wrote to memory of 1268	1828	d10fa55c61efdfea8a5e609fd7d24c0e.exe	29

C:\Users\Admin\AppData\Local\Temp\d10fa55c61efdfea8a5e609fd7d24c0e.exe
"C:\Users\Admin\AppData\Local\Temp\d10fa55c61efdfea8a5e609fd7d24c0e.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\d10fa55c61efdfea8a5e609fd7d24c0e.exe
  "C:\Users\Admin\AppData\Local\Temp\d10fa55c61efdfea8a5e609fd7d24c0e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\d10fa55c61efdfea8a5e609fd7d24c0e.exe
    "C:\Users\Admin\AppData\Local\Temp\d10fa55c61efdfea8a5e609fd7d24c0e.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1268
- C:\Users\Admin\AppData\Local\Temp\d10fa55c61efdfea8a5e609fd7d24c0e.exe
  "C:\Users\Admin\AppData\Local\Temp\d10fa55c61efdfea8a5e609fd7d24c0e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\gay sleeping titts .mpg.exe

Filesize
625KB

MD5
ec9f8a5696f9db2cae51df3e8a742b90

SHA1
22c72dc23ed23ca6d05a4ed2990c2bfc0adee07d

SHA256
eea2f5298ec756ff0d67171c5c37e30ad90da288303b11506e6918590754be0b

SHA512
b251ba37faef6f8f1594578fa0ebac2a1bc9b23df5d221320f027ce0608072c0b7d64c26af4548dccc3987bf4759a229f7b89819a65edfbb9ef422d001497ead

Download Submit
memory/1268-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1828-21-0x0000000004900000-0x000000000491C000-memory.dmp

Filesize
112KB

Download
memory/1828-69-0x0000000004900000-0x000000000491C000-memory.dmp

Filesize
112KB

Download
memory/1828-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2456-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2456-63-0x0000000001CF0000-0x0000000001D0C000-memory.dmp

Filesize
112KB

Download
memory/2456-53-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2456-19-0x0000000004F60000-0x0000000004F7C000-memory.dmp

Filesize
112KB

Download
memory/2456-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2456-125-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2456-3-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2456-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2456-64-0x0000000004F60000-0x0000000004F7C000-memory.dmp

Filesize
112KB

Download
memory/2456-2-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2456-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2456-75-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2456-98-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2456-111-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2456-119-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2516-20-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2516-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download