6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0

General

Target

6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
Size

459KB
MD5

db49c33110101b2a0328d6c6e140e217
SHA1

c822460e502adc0c62c8313c52995406dec1f36a
SHA256

6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0
SHA512

1a58c726516af6a0800ca2f26261d815825b95964bf241493774a26fadd0afdfb207d6cea2d8112dc7d3b886928b0b0618ebb5621488072d65ae044e39ff96d5
SSDEEP

12288:lXa8s3Rh747EcHlUVYRHV5nFbAnNgyG++rufMC:lq84h7a3HaEHjnFbqqyG++i0C

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2068-90-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2548-91-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2520-92-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2068-93-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2068-94-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2068-98-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2068-101-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2068-114-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2068-117-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2068-120-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2068-123-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2068-128-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2068-131-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2068-134-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2068-137-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2068-140-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2068-143-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 21 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2068-0-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
C:\Program Files\Windows Sidebar\Shared Gadgets\xxx licking balls .avi.exe	UPX
behavioral1/memory/2548-16-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2520-58-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-90-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2548-91-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2520-92-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-93-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-94-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-98-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-101-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-114-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-117-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-120-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-123-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-128-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-131-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-134-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-137-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-140-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2068-143-0x0000000000400000-0x000000000041C000-memory.dmp	UPX

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe

description	ioc	process
File opened (read-only)	\??\A:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\Q:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\T:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\Z:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\U:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\B:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\G:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\J:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\K:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\N:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\O:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\R:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\E:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\V:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\X:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\H:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\I:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\L:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\M:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\P:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\S:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\W:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File opened (read-only)	\??\Y:	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe

Drops file in System32 directory 10 IoCs

Processes:

6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\bukkake [milf] (Janette).zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\SysWOW64\FxsTmp\danish fetish sperm [milf] feet .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\hardcore public .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian kicking hardcore voyeur hole wifey .mpeg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\SysWOW64\IME\shared\swedish cumshot fucking sleeping glans ash (Samantha).avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\american horse sperm masturbation hole swallow .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\System32\DriverStore\Temp\indian fetish lesbian hot (!) swallow .avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\SysWOW64\IME\shared\tyrkish action gay sleeping titts young .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\danish action sperm [milf] latex (Sandy,Sylvia).rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\SysWOW64\FxsTmp\gay sleeping .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe

Drops file in Program Files directory 15 IoCs

Processes:

6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Temp\italian animal blowjob uncut hole shower .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\tyrkish handjob blowjob uncut ash .avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\xxx licking balls .avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\trambling [bangbus] cock black hairunshaved .avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\indian action hardcore [free] wifey .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\blowjob several models (Karin).avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\italian beastiality horse catfight circumcision .avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Program Files\Windows Journal\Templates\indian cum beast uncut penetration .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\indian beastiality trambling hidden titts leather (Samantha).mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Program Files (x86)\Google\Update\Download\hardcore [bangbus] (Jade).avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\beast uncut black hairunshaved .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Program Files\DVD Maker\Shared\danish handjob beast public (Melissa).avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\tyrkish cum bukkake girls cock girly .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\swedish action hardcore public feet mistress (Samantha).mpeg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\danish nude fucking [free] fishy .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe

Drops file in Windows directory 64 IoCs

Processes:

6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe

description	ioc	process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\black horse sperm uncut balls .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\canadian hardcore public feet .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\gang bang lingerie voyeur black hairunshaved .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\gay voyeur hole .mpeg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\InstallTemp\black cumshot lingerie [milf] glans ìï .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\danish kicking xxx lesbian latex .mpeg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\kicking gay hot (!) hotel .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\brasilian cumshot hardcore girls feet .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\swedish animal blowjob uncut bondage .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\beastiality fucking uncut ejaculation (Kathrin,Curtney).mpeg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\cumshot beast uncut glans ejaculation .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\fetish lesbian hot (!) hotel (Sonja,Karin).mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\blowjob voyeur (Janette).mpeg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\lingerie several models glans wifey .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\african gay masturbation 40+ .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\assembly\temp\black porn blowjob [bangbus] glans young .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\swedish fetish lingerie [milf] traffic .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\nude lesbian several models .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\cumshot hardcore hot (!) hole .avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\american kicking horse lesbian .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\cumshot fucking several models penetration .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\xxx uncut circumcision .avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\italian nude fucking full movie feet swallow .mpeg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\russian beastiality beast [bangbus] glans .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\tyrkish animal xxx big 40+ .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\nude blowjob girls wifey .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\sperm sleeping upskirt .mpeg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\animal beast hidden balls .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\tyrkish action bukkake [milf] hole .mpeg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\swedish cum lesbian [milf] .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\fucking [bangbus] penetration .mpeg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\american gang bang lesbian [milf] .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\indian gang bang gay catfight glans young .mpeg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\japanese kicking lingerie masturbation stockings .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\chinese hardcore hidden (Janette).mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\indian fetish beast licking feet girly .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\SoftwareDistribution\Download\japanese beastiality fucking masturbation sm .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\black kicking trambling sleeping hole boots .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\trambling licking gorgeoushorny .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\black cumshot blowjob sleeping glans ash .mpeg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\russian animal xxx catfight hole mistress (Melissa).mpeg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\animal hardcore full movie black hairunshaved .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\russian handjob lesbian [milf] traffic .avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\sperm sleeping balls (Ashley,Sarah).mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\cum xxx [free] cock ejaculation (Curtney).zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\danish cumshot horse big .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\malaysia beast several models swallow .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\italian handjob xxx catfight blondie .mpeg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\black horse hardcore [free] fishy .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\fucking catfight young .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\beastiality trambling masturbation (Liz).mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\black horse fucking masturbation glans .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\fucking uncut hole .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\brasilian animal fucking sleeping titts .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\beastiality horse [milf] feet .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\beast full movie glans (Sonja,Curtney).avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\brasilian handjob horse [free] (Sylvia).zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\italian handjob horse big ejaculation .zip.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\cumshot xxx hidden .avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\fucking [bangbus] lady .avi.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\tyrkish gang bang lesbian [bangbus] titts .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\malaysia sperm voyeur glans .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\american fetish bukkake hidden .rar.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\tyrkish beastiality sperm hidden titts .mpg.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe

pid	process
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2520	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe

description	pid	process	target process
PID 2068 wrote to memory of 2548	2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
PID 2068 wrote to memory of 2548	2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
PID 2068 wrote to memory of 2548	2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
PID 2068 wrote to memory of 2548	2068	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
PID 2548 wrote to memory of 2520	2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
PID 2548 wrote to memory of 2520	2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
PID 2548 wrote to memory of 2520	2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
PID 2548 wrote to memory of 2520	2548	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe	6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe

C:\Users\Admin\AppData\Local\Temp\6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
"C:\Users\Admin\AppData\Local\Temp\6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
"C:\Users\Admin\AppData\Local\Temp\6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\AppData\Local\Temp\6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe
"C:\Users\Admin\AppData\Local\Temp\6eb752286d43328b7236e6e3e00f6a62240cb61e8b61acdf0a416685a7bc59f0.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2520

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\xxx licking balls .avi.exe
Filesize
1.3MB

MD5
10cb4a826effcbdb23ab254ee0a03f9a

SHA1
c1780eca9372893fa11753d235cb2eec25b98f0d

SHA256
5d6d8e92f2f7132cac923e92215894b80cf5278506a6f4abaa76f94d26ffef58

SHA512
baa6a1d1d29f0d2d5065b6425d24d31be9e1a976e20964b66845f890e106aef787dfaf18e45b79b02a8b870c9c58d9a99a06963748560a89ef2d2058e7ab61da

Download Submit
C:\debug.txt
Filesize
183B

MD5
f3acf7f366e486e24af0eb8fc9aac1a7

SHA1
da7217d72651dc83923923c70b0d0597abd544df

SHA256
91f9fe9613416a1cdaa6138cb3cc68f766eaea5e8d7a604eed8485a781e141a8

SHA512
58fb130d38f2af7ba37fee80497793d67d664e286175c8f2740d6a146ec369b037a512a23da873133f9cb982c5d12cc2e868b34e6a76d4174f6fd3cfaa7b4300

Download Submit
memory/2068-128-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-101-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-90-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-93-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-94-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-114-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-98-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-143-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-131-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-117-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-120-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2068-123-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2520-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2520-92-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2548-97-0x0000000004570000-0x000000000458C000-memory.dmp

Filesize
112KB

Download
memory/2548-57-0x0000000004570000-0x000000000458C000-memory.dmp

Filesize
112KB

Download
memory/2548-91-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2548-16-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads