aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2024 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
Size

1.6MB
MD5

d8e96f46b4f280f00343c266cee210e6
SHA1

15a78c846a70cd85cf353900933c3c24bb629dbd
SHA256

aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29
SHA512

1cb63994a8843c46f3a81f5b6c601c0370b2be4a0a81c0326cdc2f22b4da259231b5e7d92c18cf9e8d23ec2e4db091d18f33d7337c6b069930f692ad4ac3c6c4
SSDEEP

24576:CIRV7utviSwHshP+bgXUNkfmQxUZcKt0uUIO57rZfuSi9kL37/fZkwUVC/1EdoZ5:1yRKGUNk+Qiu8UbrYSlL7hUc1KoeU

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 19 IoCs

resource	yara_rule
behavioral2/memory/2620-167-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4044-169-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1896-181-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4920-182-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2620-183-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4044-184-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1896-186-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1896-192-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1896-203-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1896-207-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1896-212-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1896-216-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1896-220-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1896-224-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1896-228-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1896-232-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1896-236-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1896-240-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1896-244-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 21 IoCs

resource	yara_rule
behavioral2/memory/1896-0-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/files/0x0007000000023214-5.dat	UPX
behavioral2/memory/2620-167-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/4044-169-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1896-181-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/4920-182-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/2620-183-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/4044-184-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1896-186-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1896-192-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1896-203-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1896-207-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1896-212-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1896-216-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1896-220-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1896-224-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1896-228-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1896-232-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1896-236-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1896-240-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1896-244-0x0000000000400000-0x000000000041F000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1896-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000023214-5.dat	upx
behavioral2/memory/2620-167-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4044-169-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1896-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4920-182-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2620-183-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4044-184-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1896-186-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1896-192-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1896-203-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1896-207-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1896-212-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1896-216-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1896-220-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1896-224-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1896-228-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1896-232-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1896-236-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1896-240-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1896-244-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\Q:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\A:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\E:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\G:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\J:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\Z:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\H:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\K:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\S:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\W:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\U:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\V:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\N:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\O:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\R:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\T:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\X:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\Y:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\B:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\I:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\M:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File opened (read-only)	\??\P:	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogFiles\Fax\Incoming\british xxx xxx several models glans .avi.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\handjob hidden femdom (Sonja).mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\asian cumshot voyeur blondie .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\SysWOW64\IME\SHARED\danish lingerie hot (!) mistress (Karin).mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\System32\DriverStore\Temp\black gay big hotel .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\SysWOW64\FxsTmp\black lesbian girls ash Ôï .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\SysWOW64\IME\SHARED\malaysia hardcore bukkake [bangbus] (Sonja).mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\handjob blowjob big tß (Karin).zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\tyrkish bukkake [milf] hole wifey .zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\SysWOW64\config\systemprofile\nude hidden bedroom .rar.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\SysWOW64\config\systemprofile\swedish gang bang hardcore public upskirt .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\SysWOW64\FxsTmp\russian horse trambling hot (!) ash .zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\black kicking horse uncut cock .avi.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\chinese bukkake animal [milf] (Sarah).zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\blowjob voyeur mistress (Samantha).rar.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\tyrkish gang bang xxx several models black hairunshaved .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files (x86)\Google\Update\Download\black kicking kicking licking young .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files\dotnet\shared\chinese animal animal [milf] high heels (Sonja).rar.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\kicking big .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\malaysia beastiality horse big mistress (Curtney).mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\italian beastiality cum masturbation nipples .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files\Common Files\microsoft shared\italian horse hot (!) pregnant .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files\Microsoft Office\root\Templates\horse [milf] legs blondie .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\british beast action lesbian .rar.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files (x86)\Google\Temp\black cum [free] (Curtney,Jenna).rar.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\indian kicking public leather (Melissa,Jenna).mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files (x86)\Microsoft\Temp\beast beastiality public .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\italian action sleeping sweet .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\cumshot action [milf] circumcision .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\danish gay action uncut feet (Samantha,Anniston).mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\german animal lingerie public girly .rar.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\british sperm animal girls (Sylvia).rar.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\french fucking sleeping pregnant .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\russian gang bang [free] legs (Jade).zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\swedish cum kicking several models boobs young .zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\gang bang blowjob several models latex (Jenna).mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\tyrkish gang bang lesbian hole .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\indian gay voyeur vagina (Sarah).rar.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\lingerie public glans .zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\canadian porn horse voyeur mature .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\mssrv.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\swedish beastiality lesbian fishy .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\gay kicking voyeur .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\german hardcore xxx lesbian latex .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\horse lingerie sleeping .rar.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\french sperm [free] nipples redhair .rar.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\animal kicking [bangbus] blondie (Christine).avi.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\horse gay [milf] (Curtney).mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\indian hardcore [bangbus] balls .avi.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\brasilian porn [milf] vagina .rar.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\animal sleeping femdom .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\norwegian beastiality horse girls YEâPSè& .zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\tyrkish xxx masturbation glans .rar.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\canadian cum lesbian masturbation girly .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\porn nude sleeping .zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\beastiality nude girls legs (Britney,Britney).avi.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\blowjob cumshot [milf] glans shoes .zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\italian porn lesbian hotel .avi.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\indian blowjob several models .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\blowjob lesbian [bangbus] hole mature .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\gang bang bukkake lesbian feet .avi.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\cumshot fucking catfight .zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\canadian hardcore uncut (Curtney).rar.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\assembly\tmp\danish horse cum catfight hairy .zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\bukkake cum girls .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\blowjob blowjob hot (!) girly (Anniston).mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\norwegian gang bang lesbian .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\chinese kicking blowjob hot (!) ash (Sarah,Jenna).mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\horse several models ash bedroom .zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\chinese beast sleeping feet sm .avi.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\black fucking xxx hot (!) YEâPSè& .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\chinese animal lingerie sleeping black hairunshaved .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\russian nude big feet .avi.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\canadian bukkake lingerie masturbation bedroom .zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\asian bukkake several models hairy (Ashley,Karin).zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\bukkake [free] legs mistress .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\russian lesbian catfight vagina (Curtney,Anniston).avi.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\PLA\Templates\spanish beastiality action several models Ôï .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\horse uncut shower (Karin).mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\swedish animal horse full movie .avi.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\Downloaded Program Files\italian hardcore action [free] ìó .avi.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\african xxx masturbation bedroom .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\swedish animal beast big ash mistress (Karin,Janette).mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\danish cum licking boobs .zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\handjob full movie (Jenna,Samantha).mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\american horse porn sleeping fishy .zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca03036af4a5017e\danish lesbian public upskirt .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\gay catfight boobs hairy .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\german sperm [free] (Samantha).zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\danish cumshot full movie .zip.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\black gay [free] (Sonja,Sarah).mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\beastiality licking sweet .mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\kicking kicking hidden ash beautyfull (Tatjana).mpg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\italian trambling hardcore hidden ash .mpeg.exe	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4044	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4044	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4044	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4044	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4044	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4044	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4044	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4044	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4044	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4044	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4044	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4044	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4044	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
4044	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
2620	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 4920	1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe	86
PID 1896 wrote to memory of 4920	1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe	86
PID 1896 wrote to memory of 4920	1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe	86
PID 4920 wrote to memory of 2620	4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe	89
PID 4920 wrote to memory of 2620	4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe	89
PID 4920 wrote to memory of 2620	4920	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe	89
PID 1896 wrote to memory of 4044	1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe	90
PID 1896 wrote to memory of 4044	1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe	90
PID 1896 wrote to memory of 4044	1896	aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe	90

C:\Users\Admin\AppData\Local\Temp\aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
"C:\Users\Admin\AppData\Local\Temp\aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Users\Admin\AppData\Local\Temp\aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
  "C:\Users\Admin\AppData\Local\Temp\aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Users\Admin\AppData\Local\Temp\aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
    "C:\Users\Admin\AppData\Local\Temp\aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2620
- C:\Users\Admin\AppData\Local\Temp\aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe
  "C:\Users\Admin\AppData\Local\Temp\aab53b15c41daf89f4728bcf2e17a6cb988d20ca06733639c6cc98a7f1ecdd29.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\kicking big .mpg.exe

Filesize
372KB

MD5
36057af363bafa52c06e1a653701e0e3

SHA1
7d8896ff87a267d038cc024e0cf1447a5dea6808

SHA256
367013a54a0d92a80983ff7a274ac90db74cd303dec063e6ef8417f0412946ab

SHA512
9b7798e6b29e5cf484e9d9da7a67fdfa300174f860c8d4a5f2263321080ef97bcfdf55e3cfe1a61a9f1ec48e67498dcbab5b0bb334b4ec90c5676969331c5bde

Download Submit
memory/1896-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-232-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-207-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-216-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-228-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2620-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2620-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4044-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4044-169-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4920-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download