Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 20:23
Behavioral task
behavioral1
Sample
3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe
Resource
win10v2004-20240319-en
General
-
Target
3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe
-
Size
426KB
-
MD5
cc63513851af6e7df3f9d4a5fe910f6f
-
SHA1
c292fd85434bb865853138e4051ec0a994e5e585
-
SHA256
3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b
-
SHA512
60a8b64e999eeaaf5e06f0e6b427797fc78fbca19ea5875cc1e7834dc91a80690aeffe233252509fd263287031b4ebaa3ae6a87bf683ef12d401a359b9842426
-
SSDEEP
12288:gEQoS8zfKEZzfq83hCr71uDyq+a0mJHs1ud:gmfhZ2318+any1k
Malware Config
Signatures
-
Detects executables containing possible sandbox analysis VM usernames 19 IoCs
Processes:
resource yara_rule behavioral2/memory/3008-11-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/1208-32-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/116-146-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/3008-174-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/1208-185-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/3168-186-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/116-187-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/116-188-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/116-192-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/116-196-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/116-201-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/116-207-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/116-221-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/116-226-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/116-230-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/116-234-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/116-238-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/116-242-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral2/memory/116-246-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames -
UPX dump on OEP (original entry point) 21 IoCs
Processes:
resource yara_rule behavioral2/memory/116-0-0x0000000000400000-0x0000000000420000-memory.dmp UPX C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish action big swallow (Tatjana).mpg.exe UPX behavioral2/memory/3008-11-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/1208-32-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/116-146-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/3008-174-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/1208-185-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/3168-186-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/116-187-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/116-188-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/116-192-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/116-196-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/116-201-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/116-207-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/116-221-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/116-226-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/116-230-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/116-234-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/116-238-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/116-242-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral2/memory/116-246-0x0000000000400000-0x0000000000420000-memory.dmp UPX -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/116-0-0x0000000000400000-0x0000000000420000-memory.dmp upx C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish action big swallow (Tatjana).mpg.exe upx behavioral2/memory/3008-11-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/1208-32-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/116-146-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/3008-174-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/1208-185-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/3168-186-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/116-187-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/116-188-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/116-192-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/116-196-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/116-201-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/116-207-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/116-221-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/116-226-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/116-230-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/116-234-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/116-238-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/116-242-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral2/memory/116-246-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exedescription ioc process File opened (read-only) \??\N: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\V: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\W: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\Y: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\Z: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\G: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\J: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\I: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\L: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\P: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\Q: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\S: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\T: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\B: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\E: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\R: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\X: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\A: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\M: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\O: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\U: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\H: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File opened (read-only) \??\K: 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe -
Drops file in System32 directory 12 IoCs
Processes:
3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exedescription ioc process File created C:\Windows\SysWOW64\FxsTmp\indian xxx lesbian several models hairy .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\malaysia gay gang bang catfight .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\SysWOW64\IME\SHARED\tyrkish cum hardcore big vagina .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\asian horse lesbian hole .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\brasilian lesbian lesbian glans .rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\SysWOW64\config\systemprofile\russian kicking blowjob girls bondage .mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\System32\DriverStore\Temp\bukkake big .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\SysWOW64\IME\SHARED\animal bukkake catfight vagina 40+ (Liz).avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\System32\LogFiles\Fax\Incoming\russian porn public (Sonja,Kathrin).mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\indian blowjob animal public .rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\SysWOW64\config\systemprofile\american cum hot (!) vagina (Sylvia).mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\SysWOW64\FxsTmp\russian lingerie voyeur .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe -
Drops file in Program Files directory 19 IoCs
Processes:
3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exedescription ioc process File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish action big swallow (Tatjana).mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\malaysia handjob hidden 50+ .mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files\Microsoft Office\Updates\Download\american blowjob voyeur feet (Anniston).mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\russian xxx masturbation titts .rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\spanish horse cumshot [free] 50+ .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files\dotnet\shared\german animal big cock .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files\Microsoft Office\root\Templates\norwegian lingerie handjob hidden titts blondie .rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files (x86)\Microsoft\Temp\italian porn cumshot catfight femdom .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files\Common Files\microsoft shared\brasilian action hardcore big hole swallow .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\indian beastiality nude hidden ash ash (Tatjana,Janette).zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\malaysia blowjob full movie feet circumcision .rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\danish cum lesbian titts latex .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\action handjob licking mistress .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files (x86)\Google\Temp\american trambling action sleeping .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files (x86)\Google\Update\Download\spanish cumshot animal uncut feet bondage .rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\beastiality gay girls wifey .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{D3EA2F86-0081-495C-8439-1E64CA71F999}\EDGEMITMP_57EE5.tmp\cumshot kicking big .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\hardcore full movie .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\trambling gay several models swallow .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe -
Drops file in Windows directory 64 IoCs
Processes:
3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exedescription ioc process File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\russian handjob lesbian vagina leather (Sandy,Janette).mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\swedish gay cumshot lesbian .mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\action sperm several models nipples .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\italian cum trambling lesbian hole shower .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\horse voyeur .rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\beast gang bang sleeping beautyfull .mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\black beastiality big glans boots .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\bukkake kicking catfight titts ash (Sonja,Liz).avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\brasilian cumshot lesbian nipples bedroom .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\black hardcore [milf] fishy .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\french fetish handjob voyeur legs femdom .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\danish beast big bondage (Melissa,Jade).mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\lesbian masturbation .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\american cum lesbian [free] shower .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.746_none_292c449ed2edefa3\lingerie [free] boots .mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\british beast uncut bedroom (Sonja,Sarah).mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\lingerie masturbation .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\canadian beast girls redhair .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\russian horse xxx uncut ash .rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_b201c2e68d8dbc0d\canadian cumshot sleeping pregnant .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\indian beast animal public stockings .rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\american trambling lesbian (Jade,Britney).rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\american blowjob fetish licking titts shoes .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\brasilian sperm sleeping legs .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\fetish big redhair (Sonja).avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\chinese beast catfight .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\canadian fetish sperm girls .mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\animal horse hidden feet leather .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\black cumshot masturbation .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\danish sperm cumshot girls ejaculation .mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\japanese beastiality [milf] sweet .mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\Downloaded Program Files\african horse fetish sleeping latex .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\horse [milf] girly .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\bukkake trambling catfight .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\norwegian cumshot voyeur .rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\PLA\Templates\brasilian porn public stockings .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\security\templates\animal hot (!) hairy .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\xxx hardcore masturbation shoes .rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\beast lesbian several models swallow .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\gang bang hot (!) redhair (Sonja).mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\norwegian fetish action catfight .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\american nude voyeur feet balls .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\bukkake several models beautyfull (Kathrin).mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\german porn girls glans hairy .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\fetish lingerie masturbation hole .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\lingerie lesbian ash .rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\african trambling catfight (Janette).avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\action uncut titts ejaculation .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\fetish girls lady (Karin,Anniston).rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\beast horse licking vagina leather .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\swedish beast lingerie masturbation hairy (Liz).avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\nude beastiality full movie 40+ .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\blowjob action [milf] cock circumcision .rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\swedish kicking bukkake [milf] wifey (Samantha).rar.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\japanese blowjob beast [free] (Gina).avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\ServiceProfiles\LocalService\Downloads\beastiality lesbian public legs beautyfull .mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\porn gang bang hot (!) high heels .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\japanese fucking animal voyeur ash black hairunshaved .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\indian gay licking girly .zip.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\indian action bukkake several models (Sarah,Samantha).mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\gay trambling voyeur traffic .mpeg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca03036af4a5017e\cumshot girls nipples shoes .avi.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\asian lesbian cumshot sleeping high heels .mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe File created C:\Windows\assembly\tmp\italian fucking [free] hairy .mpg.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exepid process 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3168 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3168 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3168 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3168 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3168 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3168 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3168 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3168 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3168 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3168 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3168 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3168 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3168 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3168 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 1208 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exedescription pid process target process PID 116 wrote to memory of 3008 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe PID 116 wrote to memory of 3008 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe PID 116 wrote to memory of 3008 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe PID 116 wrote to memory of 1208 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe PID 116 wrote to memory of 1208 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe PID 116 wrote to memory of 1208 116 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe PID 3008 wrote to memory of 3168 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe PID 3008 wrote to memory of 3168 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe PID 3008 wrote to memory of 3168 3008 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe 3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe"C:\Users\Admin\AppData\Local\Temp\3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Users\Admin\AppData\Local\Temp\3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe"C:\Users\Admin\AppData\Local\Temp\3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe"C:\Users\Admin\AppData\Local\Temp\3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3168 -
C:\Users\Admin\AppData\Local\Temp\3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe"C:\Users\Admin\AppData\Local\Temp\3f9d4d1e7bb684a6d391abe02152e320047bf3e7e586a8e0484daa24e230f80b.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2228,i,8155065313278028490,17854605419281052753,262144 --variations-seed-version /prefetch:81⤵PID:4960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish action big swallow (Tatjana).mpg.exe
Filesize1.9MB
MD59984c719c31b7cf460deebd33e6bd24e
SHA10ca62c4f8acd647c1adfafec2e189cee8df9486b
SHA256fb48dce5550b4a6d417e2e8945b030345a6d8e622cdad7798ae06fdc3fad81f0
SHA512d06c35c0a7fb7bb149cf603b90a25f0ecdd62a1f5ff312177f191c7513db29eb2e3ee81c760580fb930eb8c30e94b674fbb2780fca8faf9e130d52c93c3caadd
-
Filesize
146B
MD55330a6b0e3b6957cb6c6882d6a9dd584
SHA1d48cbc615aad1d1bb7b99ac61707af6c7a93a3ad
SHA2561e641a00e5ce771139b0078c16b4e4d98eea15e66dccb75a6099fc40cdf4cb6e
SHA512854dab6fd5b7eeed628535b8b94957a0fb539ceb0b97a51b7a4daa2e4510900cb252c020c632772ce723deeee939bef1d6446e5dd609b39145c090e97f5c3aa4