Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240319-en -
resource tags
arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 23:19
Behavioral task
behavioral1
Sample
8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe
Resource
win10v2004-20240319-en
General
-
Target
8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe
-
Size
456KB
-
MD5
0e376dac7a237d031184d9f18308fea0
-
SHA1
938e5b43ae55ad88a8f66438573f655c47c93755
-
SHA256
8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c
-
SHA512
370583a0da59615e0a1d420718c9c28e2361f9fc58c1ec564dd1d68cb6dc07262215f93de896165939cbfbbcba941e216af41fe5048bc05a221d793c36749b78
-
SSDEEP
6144:JjluyDM3Io5R4nM/40yJN+IBhzIjC3U3d8L1dfvnp612KAtftk+LluhEKCJibaOg:JEyDMhqhQelkNyX3oAvuDC4aOg
Malware Config
Signatures
-
Detects executables containing possible sandbox analysis VM usernames 19 IoCs
Processes:
resource yara_rule behavioral1/memory/2596-54-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-88-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/2336-89-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/2596-90-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/2732-91-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-92-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-93-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-99-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-103-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-117-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-121-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-125-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-129-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-135-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-139-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-143-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-147-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-151-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1068-155-0x0000000000400000-0x000000000041E000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames -
UPX dump on OEP (original entry point) 22 IoCs
Processes:
resource yara_rule behavioral1/memory/1068-0-0x0000000000400000-0x000000000041E000-memory.dmp UPX C:\Program Files\Windows Sidebar\Shared Gadgets\swedish kicking sperm sleeping 40+ .rar.exe UPX behavioral1/memory/2336-7-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/2596-54-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-88-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/2336-89-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/2596-90-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/2732-91-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-92-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-93-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-99-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-103-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-117-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-121-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-125-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-129-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-135-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-139-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-143-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-147-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-151-0x0000000000400000-0x000000000041E000-memory.dmp UPX behavioral1/memory/1068-155-0x0000000000400000-0x000000000041E000-memory.dmp UPX -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1068-0-0x0000000000400000-0x000000000041E000-memory.dmp upx C:\Program Files\Windows Sidebar\Shared Gadgets\swedish kicking sperm sleeping 40+ .rar.exe upx behavioral1/memory/2336-7-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2596-54-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-88-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2336-89-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2596-90-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2732-91-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-92-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-93-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-99-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-103-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-117-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-121-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-125-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-129-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-135-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-139-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-143-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-147-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-151-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1068-155-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exedescription ioc process File opened (read-only) \??\M: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\T: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\Y: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\G: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\J: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\H: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\I: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\A: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\E: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\P: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\V: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\W: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\X: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\Z: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\B: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\O: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\N: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\Q: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\R: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\S: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\U: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\K: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File opened (read-only) \??\L: 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe -
Drops file in System32 directory 10 IoCs
Processes:
8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exedescription ioc process File created C:\Windows\SysWOW64\FxsTmp\lesbian [milf] .avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\SysWOW64\IME\shared\black handjob xxx big YEâPSè& .avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\SysWOW64\FxsTmp\sperm [bangbus] titts gorgeoushorny (Curtney).mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\SysWOW64\config\systemprofile\fucking licking .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\System32\DriverStore\Temp\black fetish hardcore [free] boots .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\SysWOW64\IME\shared\sperm masturbation sweet .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\System32\LogFiles\Fax\Incoming\indian cum horse catfight penetration .avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\danish beastiality bukkake full movie sweet .mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\SysWOW64\config\systemprofile\horse hot (!) hotel (Christine,Jade).rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\hardcore [milf] balls .mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe -
Drops file in Program Files directory 15 IoCs
Processes:
8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exedescription ioc process File created C:\Program Files (x86)\Common Files\microsoft shared\russian fetish blowjob licking ìï (Britney,Liz).mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\lesbian [free] (Curtney).zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\danish horse xxx girls hole 50+ .avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Program Files\Windows Journal\Templates\trambling [bangbus] black hairunshaved .mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\swedish kicking sperm sleeping 40+ .rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Program Files (x86)\Google\Temp\handjob trambling masturbation feet .mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Program Files\Common Files\Microsoft Shared\american kicking bukkake catfight gorgeoushorny .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Program Files\DVD Maker\Shared\sperm sleeping .mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\indian handjob trambling [milf] 40+ .rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\swedish fetish fucking catfight hole .avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\blowjob several models glans redhair .mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Program Files (x86)\Google\Update\Download\xxx hot (!) .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\tyrkish animal xxx voyeur blondie .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Program Files (x86)\Microsoft Office\Templates\danish beastiality hardcore hidden titts blondie (Curtney).mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\blowjob full movie feet (Kathrin,Sylvia).rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe -
Drops file in Windows directory 64 IoCs
Processes:
8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exedescription ioc process File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\italian nude gay hot (!) (Liz).rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\SoftwareDistribution\Download\sperm [free] cock young (Melissa).mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\african hardcore catfight titts .avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\american fetish sperm public 50+ .mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\american kicking blowjob voyeur (Sarah).rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\horse blowjob voyeur .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\japanese cum xxx lesbian 50+ .avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\ServiceProfiles\NetworkService\Downloads\beast hot (!) feet upskirt .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\malaysia horse several models titts circumcision .mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\african beast [free] .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\chinese sperm full movie titts .avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\french lingerie licking lady .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\handjob blowjob catfight granny .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\lingerie several models .mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\horse voyeur feet (Britney,Liz).mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\porn gay sleeping granny .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\gang bang trambling big (Melissa).rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\cum trambling full movie feet black hairunshaved .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\porn lesbian voyeur redhair .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\spanish blowjob uncut leather .avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\porn gay full movie titts .avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\russian animal horse [free] pregnant .mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\beast [free] feet swallow .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\danish porn bukkake [bangbus] (Samantha).mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\trambling hot (!) traffic .rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\fucking [bangbus] gorgeoushorny .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian fetish gay uncut titts .mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\fucking hidden feet boots .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\black gang bang beast hot (!) (Sylvia).avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\horse xxx hidden hole (Sonja,Melissa).avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\gang bang beast lesbian .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\danish kicking beast girls 50+ .rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\italian cum trambling uncut girly .rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\security\templates\gay lesbian .rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\brasilian handjob xxx voyeur .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\spanish hardcore uncut traffic .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\swedish porn lingerie [free] .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\french lesbian [milf] redhair .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\asian blowjob hot (!) swallow .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\canadian hardcore sleeping fishy .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\InstallTemp\canadian gay uncut titts traffic (Karin).avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\chinese lesbian hot (!) redhair .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\Downloaded Program Files\trambling voyeur lady (Anniston,Melissa).avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\italian animal sperm full movie feet shoes .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\brasilian kicking lesbian licking cock wifey .mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\indian animal gay [milf] .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\fucking girls leather .rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\brasilian gang bang fucking big pregnant (Ashley,Janette).avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\german xxx voyeur .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\norwegian sperm [bangbus] feet YEâPSè& .avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\african xxx uncut shower .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\chinese trambling girls feet .rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\indian nude lingerie lesbian bondage .rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\xxx [bangbus] cock mistress (Jade).mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\african horse lesbian (Karin).avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\lingerie catfight .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\beast masturbation beautyfull .mpeg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\norwegian gay licking (Janette).mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\malaysia blowjob girls feet .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\beastiality xxx several models (Janette).rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\beast sleeping glans .rar.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\trambling lesbian feet castration .avi.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\french horse [bangbus] .zip.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\gay uncut .mpg.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exepid process 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2732 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 2596 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exedescription pid process target process PID 1068 wrote to memory of 2336 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe PID 1068 wrote to memory of 2336 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe PID 1068 wrote to memory of 2336 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe PID 1068 wrote to memory of 2336 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe PID 1068 wrote to memory of 2596 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe PID 1068 wrote to memory of 2596 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe PID 1068 wrote to memory of 2596 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe PID 1068 wrote to memory of 2596 1068 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe PID 2336 wrote to memory of 2732 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe PID 2336 wrote to memory of 2732 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe PID 2336 wrote to memory of 2732 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe PID 2336 wrote to memory of 2732 2336 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe 8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe"C:\Users\Admin\AppData\Local\Temp\8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe"C:\Users\Admin\AppData\Local\Temp\8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe"C:\Users\Admin\AppData\Local\Temp\8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe"C:\Users\Admin\AppData\Local\Temp\8fa8e1cd64c36aa564ed7d0dca396ca23d02de3e03ce6e0814d890900bb9448c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.7MB
MD57b6597cb2fc673dc109add7f5154d58b
SHA1673c09d644bcb965ff6aa56ecf6fbce9ccad4742
SHA256b3b2aa8ffe5fb3ba37b0f5010b76834a41801079635136cc308db9734ba86090
SHA512ac6982886de4a168ca6aaf8150d81f245dfb62d8bd280d328fc6421a50ea5f823923f3fe958adfd165cf2dd4427c6d68d3e50991fa5128fe021ebacb0753a41b