60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 22:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
Size

1.7MB
MD5

312417dd927b9b3f45e999491988e406
SHA1

b7b44555df914045902c3f550c71f8a0651145c5
SHA256

60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805
SHA512

d40a2ff8f9bf91680a2fe557a4fb7b31fd3428231bbc66b7908ed4dfc9ff2057694a72b1eb5e205b8e35b0f4f760f257d39a8b0209ee474850d0ed7d8f3f70da
SSDEEP

49152:xfyV9cRc3kpgIMExQ5NtLxM/YHcUrkq1i591H53rNXZOPrh+:xKV9ca3k2lrxMgHcUrfMHV3OPrh+

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 17 IoCs

resource	yara_rule
behavioral2/memory/1004-140-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/640-154-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2264-167-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1616-169-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1004-170-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1004-183-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1004-191-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1004-195-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1004-199-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1004-203-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1004-207-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1004-212-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1004-216-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1004-220-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1004-224-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1004-230-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1004-240-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 20 IoCs

resource	yara_rule
behavioral2/memory/1004-0-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/files/0x0008000000023410-5.dat	UPX
behavioral2/memory/640-10-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1004-140-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/640-154-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/2264-167-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1616-169-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1004-170-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1004-183-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1004-191-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1004-195-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1004-199-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1004-203-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1004-207-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1004-212-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1004-216-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1004-220-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1004-224-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1004-230-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1004-240-0x0000000000400000-0x000000000041C000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
Key value queried	\REGISTRY\USER\S-1-5-21-776854024-226333264-2052258302-1000\Control Panel\International\Geo\Nation	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\X:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\H:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\I:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\O:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\J:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\W:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\N:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\S:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\T:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\U:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\Y:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\K:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\L:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\M:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\Z:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\G:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\P:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\Q:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\R:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\A:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\B:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File opened (read-only)	\??\E:	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\brasilian porn hardcore full movie titts bedroom (Melissa).mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\SysWOW64\FxsTmp\cumshot sperm [free] cock young .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\norwegian bukkake [free] feet bedroom .mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\italian action beast hidden young (Jenna,Melissa).zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\SysWOW64\config\systemprofile\blowjob sleeping .rar.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\SysWOW64\FxsTmp\blowjob full movie traffic .avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\SysWOW64\IME\SHARED\beast voyeur latex (Sonja,Melissa).rar.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\SysWOW64\config\systemprofile\japanese cum sperm uncut mature .avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\american cum trambling lesbian hole ejaculation .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\swedish kicking lesbian girls traffic .mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\swedish horse gay girls (Samantha).avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\SysWOW64\IME\SHARED\american nude gay uncut glans ¼ë .mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\russian nude xxx lesbian swallow (Britney,Janette).avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian gang bang gay several models glans gorgeoushorny (Karin).mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\german hardcore [milf] gorgeoushorny (Sonja,Liz).zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files (x86)\Google\Temp\bukkake [milf] feet blondie .mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\danish nude sperm masturbation pregnant .mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files\Microsoft Office\root\Templates\trambling public traffic .mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\swedish kicking trambling [milf] cock 40+ (Sylvia).rar.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\indian kicking lesbian sleeping mature .mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\sperm public titts .rar.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\american gang bang hardcore voyeur (Liz).zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files (x86)\Microsoft\Temp\bukkake licking .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files\Common Files\microsoft shared\bukkake uncut .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\italian action beast [free] YEâPSè& .mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\blowjob public glans (Christine,Samantha).mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\sperm [milf] feet swallow .mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\xxx licking Ôï .avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files (x86)\Google\Update\Download\sperm lesbian feet fishy (Sylvia).zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\horse lesbian titts .avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\Temp\cum horse public hairy (Gina,Jade).mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\american horse blowjob girls feet .rar.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\german fucking uncut castration .mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\danish cum gay full movie .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\kicking blowjob full movie stockings .rar.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\fetish sperm [milf] hole shoes .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\porn xxx lesbian black hairunshaved .mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\horse fucking [free] titts .mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\chinese trambling licking mistress .avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\security\templates\russian animal lingerie [free] hole wifey .mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\american action blowjob [milf] (Sarah).avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\assembly\tmp\italian gang bang blowjob uncut pregnant (Britney,Melissa).zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\italian horse hardcore uncut feet granny .avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\german horse hidden boots .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\african bukkake voyeur redhair .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\russian porn beast full movie hole granny .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\brasilian action hardcore masturbation .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\fucking [milf] sm .mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\italian nude beast masturbation cock .avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\handjob blowjob [free] titts .mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\gang bang lesbian sleeping feet penetration (Tatjana).rar.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\british lingerie sleeping titts lady .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\american action lesbian uncut feet (Kathrin,Jade).rar.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\german sperm lesbian fishy .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\hardcore lesbian femdom .mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\action blowjob several models hole Ôï (Sarah).zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\japanese porn lingerie public hole shoes .mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\spanish sperm girls boots .rar.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\african trambling girls .rar.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\danish beastiality beast uncut (Samantha).mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\gang bang bukkake full movie latex .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\indian action lingerie voyeur .avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\asian gay hidden lady .mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\Downloaded Program Files\hardcore big .avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\british hardcore masturbation (Jade).mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\kicking fucking [free] (Janette).zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\chinese horse public traffic .mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\malaysia gay big cock hotel .mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\handjob blowjob [free] girly .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\lingerie uncut .rar.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\danish action trambling catfight titts .mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\tyrkish animal fucking hot (!) hole (Sonja,Sarah).mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\lesbian girls feet 50+ (Curtney).avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\asian xxx lesbian hole .mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\horse horse sleeping (Curtney).mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\CbsTemp\blowjob hot (!) gorgeoushorny .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\spanish lesbian hot (!) titts bondage .avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\japanese gang bang lingerie several models feet (Christine,Melissa).zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\InputMethod\SHARED\tyrkish beastiality sperm lesbian (Curtney).rar.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\trambling public high heels .mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\lingerie catfight bondage .mpeg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\british gay [milf] bedroom .mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\black fetish sperm girls hole .avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\sperm [milf] (Sylvia).avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\american fetish xxx big cock granny (Janette).avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\action blowjob lesbian hole shoes .mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\malaysia xxx full movie 40+ (Sonja,Tatjana).zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\black cum trambling uncut gorgeoushorny .mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\brasilian horse gay [milf] femdom .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\german blowjob hot (!) .avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\xxx uncut glans mature .zip.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\mssrv.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\PLA\Templates\danish fetish lingerie full movie shower .mpg.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\porn lesbian lesbian femdom .avi.exe	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1616	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1616	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1616	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1616	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1616	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1616	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1616	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1616	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1616	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1616	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1616	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1616	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1616	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
1616	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
2264	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 640	1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe	88
PID 1004 wrote to memory of 640	1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe	88
PID 1004 wrote to memory of 640	1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe	88
PID 1004 wrote to memory of 2264	1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe	89
PID 1004 wrote to memory of 2264	1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe	89
PID 1004 wrote to memory of 2264	1004	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe	89
PID 640 wrote to memory of 1616	640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe	90
PID 640 wrote to memory of 1616	640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe	90
PID 640 wrote to memory of 1616	640	60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe	90

C:\Users\Admin\AppData\Local\Temp\60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
"C:\Users\Admin\AppData\Local\Temp\60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Users\Admin\AppData\Local\Temp\60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
  "C:\Users\Admin\AppData\Local\Temp\60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
    "C:\Users\Admin\AppData\Local\Temp\60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1616
- C:\Users\Admin\AppData\Local\Temp\60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe
  "C:\Users\Admin\AppData\Local\Temp\60b5d2bb930a02666cce41387b99e741c217ef7a6d1c96672eeb1d75dfe2e805.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian gang bang gay several models glans gorgeoushorny (Karin).mpeg.exe

Filesize
1.0MB

MD5
1fa60f06b82861a160e2aee7de81ca01

SHA1
33e9eb84748a0bf1de8b07b20c7738e106708f73

SHA256
8cdd5052d4f3361cb7e9bf5a05a1677569a8e8e3a125a18ccf81326cd910416a

SHA512
623dba45e7134d87842752b481608e6138108943e97cef94dc85f5745b0fe1dc5ee92a14f4707e9ad9e49619858785a77ba45715d0b6761dfd3d495f91b97dcb

Download Submit
memory/640-154-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/640-10-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-216-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-203-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-240-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-230-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-170-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-183-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-191-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-195-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-199-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-207-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-212-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-220-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-224-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1616-169-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2264-167-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download