8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
Size

648KB
MD5

27b5e378fee94b63cac972238b6fd8ea
SHA1

d977df7d46fe2bef480a32b0d3f7e7efe64e1dce
SHA256

8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a
SHA512

f80fd7be1f23583c19ec098d831799e72b4726b0f9ef4bbeb13851cbf753eee34b3ba731070965139a26d909813dc09677df293f43e44a5e4850d6f251bb4711
SSDEEP

12288:0EQoSCQLbmVOZ6MvZ9Q4cK+hVBTD/7Tynuc3+0RQ2LK5KkFm+ZF:0nSVOZ6oZVc/nDku6RQFzl

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 19 IoCs

resource	yara_rule
behavioral2/memory/4516-165-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-184-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/5008-185-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4516-186-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/3840-187-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-189-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-190-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-196-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-206-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-210-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-215-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-219-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-223-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-227-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-231-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-235-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-239-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-243-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2876-247-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 22 IoCs

resource	yara_rule
behavioral2/memory/2876-0-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/files/0x0007000000023228-5.dat	UPX
behavioral2/memory/5008-66-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4516-165-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-184-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/5008-185-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4516-186-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/3840-187-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-189-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-190-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-196-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-206-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-210-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-215-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-219-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-223-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-227-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-231-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-235-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-239-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-243-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2876-247-0x0000000000400000-0x000000000041E000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2876-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/files/0x0007000000023228-5.dat	upx
behavioral2/memory/5008-66-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4516-165-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-184-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5008-185-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4516-186-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3840-187-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-189-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-190-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-196-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-206-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-210-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-215-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-219-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-223-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-227-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-231-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-235-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-239-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-243-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2876-247-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\I:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\J:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\B:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\G:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\L:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\R:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\W:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\X:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\Y:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\Z:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\A:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\H:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\K:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\M:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\P:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\T:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\V:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\N:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\O:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\Q:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\S:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File opened (read-only)	\??\U:	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\swedish horse sperm masturbation .rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\SysWOW64\FxsTmp\german horse hot (!) blondie (Janette,Curtney).mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\canadian animal lesbian big .rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\german gay girls (Samantha).rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\SysWOW64\IME\SHARED\norwegian nude cumshot voyeur penetration .rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\SysWOW64\config\systemprofile\canadian kicking action sleeping girly .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\System32\DriverStore\Temp\spanish sperm gay voyeur .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\SysWOW64\FxsTmp\cumshot catfight titts (Sonja,Sarah).mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\american trambling masturbation .zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\italian kicking sleeping pregnant (Jenna).mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\indian fetish cum public .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\SysWOW64\config\systemprofile\british animal hardcore full movie .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\canadian blowjob licking glans .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\american beastiality voyeur .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\beast girls stockings .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\british xxx girls cock YEâPSè& .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files (x86)\Microsoft\Temp\norwegian sperm horse licking .mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\indian beastiality licking glans ash (Sarah).mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files\Microsoft Office\root\Templates\american beast fucking lesbian mistress .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\tyrkish nude lesbian nipples (Jenna).zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\black bukkake lesbian licking cock .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\french gang bang [free] .mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\swedish bukkake animal several models (Sylvia,Christine).mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\fetish nude full movie fishy (Liz).mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\tyrkish fetish kicking girls ash .zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files (x86)\Google\Temp\nude action voyeur ash stockings .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files\Common Files\microsoft shared\canadian cum masturbation titts ejaculation .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files\dotnet\shared\swedish horse full movie Ôï (Gina,Anniston).mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files (x86)\Google\Update\Download\french xxx action sleeping glans mistress .mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\lingerie licking penetration (Sandy,Christine).avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\african beastiality voyeur sweet .mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\swedish handjob several models cock bedroom .mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\horse beastiality [milf] .zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\chinese blowjob gang bang voyeur traffic (Britney).zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\japanese bukkake public ash .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\brasilian gang bang full movie ejaculation .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\asian handjob action lesbian (Jenna).avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\french lingerie catfight .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\black bukkake hidden upskirt .zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\lingerie beast [milf] boots .zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\black beastiality sperm girls .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\malaysia fetish fetish several models granny .mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\spanish gay [milf] ash leather .rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\french gang bang fucking licking (Sonja,Sylvia).mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\norwegian lesbian girls (Samantha).mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\handjob several models shower .zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\sperm lesbian blondie .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\malaysia kicking public .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\asian horse voyeur feet traffic .zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\danish xxx porn full movie nipples sm (Britney,Curtney).zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\german horse cum lesbian .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\swedish fetish masturbation cock .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\spanish gay big penetration (Melissa).rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\british cumshot masturbation boots .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\gay licking stockings .rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\handjob fucking big hotel .rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\security\templates\swedish animal hot (!) cock (Ashley).zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\asian cum public boots (Sonja).rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\spanish horse voyeur swallow (Janette).mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\porn public nipples .mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\asian lingerie cumshot several models (Melissa).zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\sperm hidden swallow .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\american fetish lesbian sleeping mature (Liz,Kathrin).mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\xxx action licking nipples ejaculation .mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\mssrv.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\spanish cumshot full movie (Gina,Sonja).mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\trambling [bangbus] leather .mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\black horse handjob several models glans .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\french trambling sleeping ash .mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\indian gang bang uncut nipples bedroom .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\french lesbian full movie legs .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\malaysia animal [free] titts pregnant .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\xxx gay big sm (Anniston,Liz).rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\danish hardcore sperm full movie castration (Liz,Sarah).mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\french fucking hidden glans 50+ (Jenna,Ashley).rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\cum masturbation ash .zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\asian gang bang hot (!) (Jenna,Sonja).mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\american xxx cumshot hidden swallow .rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_21122d7205c6f5b9\indian beastiality bukkake hidden cock bondage .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\handjob masturbation blondie (Karin,Janette).avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\animal [bangbus] black hairunshaved (Ashley).avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\brasilian kicking [milf] vagina hairy .zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\beast handjob full movie legs 40+ .mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\russian fetish lingerie catfight leather .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\lingerie nude full movie hotel .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\african bukkake lesbian beautyfull .avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\malaysia handjob action catfight .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\indian trambling bukkake sleeping (Sarah,Christine).avi.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\swedish beast xxx lesbian vagina circumcision (Britney).zip.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\porn hidden glans high heels .rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\german horse lesbian bondage .rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\norwegian gay public .mpeg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\nude horse full movie .rar.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\african cumshot bukkake hidden hole femdom .mpg.exe	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
3840	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
3840	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
3840	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
3840	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
3840	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
3840	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
3840	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
3840	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
3840	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
3840	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
3840	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
3840	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
3840	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
3840	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
4516	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 5008	2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe	90
PID 2876 wrote to memory of 5008	2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe	90
PID 2876 wrote to memory of 5008	2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe	90
PID 2876 wrote to memory of 4516	2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe	93
PID 2876 wrote to memory of 4516	2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe	93
PID 2876 wrote to memory of 4516	2876	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe	93
PID 5008 wrote to memory of 3840	5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe	94
PID 5008 wrote to memory of 3840	5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe	94
PID 5008 wrote to memory of 3840	5008	8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe	94

C:\Users\Admin\AppData\Local\Temp\8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
"C:\Users\Admin\AppData\Local\Temp\8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Users\Admin\AppData\Local\Temp\8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
  "C:\Users\Admin\AppData\Local\Temp\8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
    "C:\Users\Admin\AppData\Local\Temp\8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3840
- C:\Users\Admin\AppData\Local\Temp\8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe
  "C:\Users\Admin\AppData\Local\Temp\8a0b233457d15f119bf29929b11234becb3d58bdfe7ae7ae5d36227a3b3f227a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\tyrkish nude lesbian nipples (Jenna).zip.exe

Filesize
494KB

MD5
d6626c2fbb76576767f17de499ae9303

SHA1
3f73ce92ee976de5a95763178b430dbc33bd9de5

SHA256
ae213c3f70868933049f0be0e6820c68728f3cb9980dd4073aa96cfef4177c3a

SHA512
b0d5e51dc9d1c07a91c003a8dad58a53077c197073d9643e0f07bfe6b8d3a0873ad3099773cc3325516d8c927c4d3cb77d8ab7305f981e8f76b277ac01a2ca3f

Download Submit
memory/2876-223-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-231-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-247-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-184-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-243-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-239-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-235-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-189-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-190-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-196-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-215-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-210-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-206-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-219-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2876-227-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3840-187-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4516-186-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4516-165-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5008-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5008-185-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download