d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c

General

Target

d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
Size

1.5MB
MD5

1b45950fe068059dbc4f580bf0da1da9
SHA1

89591c6439ac583b876abc56bd8af81d0148546d
SHA256

d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c
SHA512

a8b24c3a81f50b11cb2cdb21cc3d9dc33063e323bef225bc370b09c74b4dfe2a74ab7829f4cee31ff0b707f30ea46ac9897f5f59bf0106c89f7f062622346b72
SSDEEP

24576:0BPOL9mlF+fTt5VbGJhlTM5ZiVvaGJLrZMOxStDp/0DU+pKETUWMTvg7PH8IhdC:QGJRx5Y74ZiQOtMOgpp/0DUxET3GORS

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 19 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3636-143-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-182-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2036-183-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2172-184-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/3636-185-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-186-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-187-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-194-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-204-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-208-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-213-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-217-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-221-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-225-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-229-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-233-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-237-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-241-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4832-245-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4832-0-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\beastiality fetish sleeping .rar.exe	UPX
behavioral2/memory/3636-143-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-182-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2036-183-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2172-184-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/3636-185-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-186-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-187-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-194-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-204-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-208-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-213-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-217-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-221-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-225-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-229-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-233-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-237-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-241-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4832-245-0x0000000000400000-0x000000000041E000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exed2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4832-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\beastiality fetish sleeping .rar.exe	upx
behavioral2/memory/3636-143-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-182-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2036-183-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2172-184-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/3636-185-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-186-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-187-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-194-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-204-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-208-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-213-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-217-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-221-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-225-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-229-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-233-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-237-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-241-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4832-245-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

description	ioc	process
File opened (read-only)	\??\E:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\H:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\J:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\O:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\S:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\G:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\I:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\L:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\U:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\A:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\B:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\M:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\N:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\R:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\T:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\K:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\P:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\Q:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\V:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\W:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\X:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\Y:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File opened (read-only)	\??\Z:	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

Drops file in System32 directory 12 IoCs

Processes:

d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

description	ioc	process
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish lesbian big .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\handjob [bangbus] stockings .zip.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\chinese bukkake gay hot (!) penetration (Sonja).zip.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\SysWOW64\config\systemprofile\action trambling several models young .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\System32\DriverStore\Temp\gay cum [milf] bedroom .rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\SysWOW64\config\systemprofile\brasilian lingerie nude voyeur ash .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\SysWOW64\FxsTmp\animal action public pregnant .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\SysWOW64\IME\SHARED\lingerie bukkake [free] (Janette,Sylvia).rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\fucking trambling public fishy (Sonja,Liz).mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\french porn horse uncut boobs .rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\SysWOW64\IME\SHARED\cum horse voyeur legs .avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\norwegian fucking porn full movie shoes .zip.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

Drops file in Program Files directory 18 IoCs

Processes:

d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

description	ioc	process
File created	C:\Program Files (x86)\Google\Update\Download\brasilian horse girls castration (Jenna,Anniston).rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\cum action [free] (Jenna).mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\african bukkake sperm hot (!) ash .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files (x86)\Google\Temp\french bukkake fucking [milf] vagina (Liz,Janette).zip.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\nude lesbian .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\tyrkish gay catfight cock .avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\canadian gang bang fucking [milf] hole boots (Sylvia).mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\chinese bukkake bukkake full movie titts femdom .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\japanese animal fucking big cock .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files\dotnet\shared\trambling [bangbus] .avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\canadian hardcore several models vagina castration .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\british porn lesbian granny (Tatjana).avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\hardcore catfight glans .zip.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\canadian fetish fetish [free] penetration .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files (x86)\Microsoft\Temp\indian kicking uncut 50+ .avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files\Common Files\microsoft shared\danish trambling cumshot [free] legs granny .rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files\Microsoft Office\root\Templates\malaysia lingerie animal several models glans .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\beastiality fetish sleeping .rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

Drops file in Windows directory 64 IoCs

Processes:

d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\lingerie beastiality full movie glans (Ashley).zip.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\chinese nude nude [milf] .avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\lingerie kicking girls .rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\indian xxx fucking lesbian .avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\german horse blowjob catfight redhair .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\german xxx beastiality voyeur bondage .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\porn hardcore hidden 50+ .avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\gay cum hidden .rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\kicking [free] mature .rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\spanish gang bang several models swallow .avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\indian cumshot lesbian cock girly .rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\animal animal licking ash girly .avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\gang bang catfight (Sonja,Jade).mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\fetish big boots .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\danish bukkake catfight hole .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\InputMethod\SHARED\norwegian beastiality voyeur 50+ .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\bukkake nude big (Sylvia,Sandy).rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\german lingerie sleeping (Ashley,Christine).mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\italian bukkake sleeping ash girly (Sonja).zip.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\lesbian hidden .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\blowjob nude [free] vagina .rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\swedish bukkake licking .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\italian sperm girls bondage (Britney,Samantha).rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\african fetish [free] .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\cumshot lesbian .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\fucking girls shower .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\british cum [milf] 40+ .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\kicking bukkake voyeur .zip.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\norwegian animal xxx several models (Sarah).avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\swedish gang bang hardcore hot (!) legs stockings .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\russian handjob several models .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\beastiality blowjob girls YEâPSè& (Jade,Curtney).zip.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\norwegian trambling cum sleeping circumcision .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\action action masturbation bondage (Tatjana,Ashley).mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\lingerie sperm full movie glans (Sonja,Karin).mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\fucking full movie black hairunshaved .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\indian hardcore voyeur cock black hairunshaved .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\chinese animal lesbian public mistress (Sarah,Curtney).mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\gay sleeping pregnant .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\animal gang bang hot (!) .avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\canadian handjob handjob sleeping .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\french kicking lingerie voyeur pregnant .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\indian fucking handjob catfight .rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\nude xxx girls boobs (Sonja).avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\kicking lesbian mature .zip.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\fetish [milf] glans .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\swedish fetish hardcore catfight (Jade,Britney).rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\trambling horse hot (!) leather .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\french beast cum [free] (Liz,Gina).avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\hardcore gay catfight .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\lingerie beast several models glans castration .avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\horse bukkake [free] young .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\fetish big 50+ .zip.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\black sperm [free] glans (Ashley,Anniston).rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\horse fucking full movie boots (Tatjana).zip.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\swedish porn lesbian castration .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\horse bukkake sleeping (Gina).mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\italian cumshot porn [milf] 50+ .avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\cumshot beastiality hot (!) glans leather (Jenna).rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\fucking girls Ôï .mpg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\horse lingerie girls bedroom .mpeg.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\british cumshot voyeur lady .rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\german bukkake kicking hot (!) nipples .rar.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\handjob horse licking Ôï .avi.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exed2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exed2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exed2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

pid	process
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
3636	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
3636	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
3636	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
3636	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
3636	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
3636	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
3636	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
3636	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
3636	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
3636	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
3636	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
3636	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
3636	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
3636	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
2172	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exed2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

description	pid	process	target process
PID 4832 wrote to memory of 2036	4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
PID 4832 wrote to memory of 2036	4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
PID 4832 wrote to memory of 2036	4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
PID 2036 wrote to memory of 2172	2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
PID 2036 wrote to memory of 2172	2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
PID 2036 wrote to memory of 2172	2036	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
PID 4832 wrote to memory of 3636	4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
PID 4832 wrote to memory of 3636	4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
PID 4832 wrote to memory of 3636	4832	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe	d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe

C:\Users\Admin\AppData\Local\Temp\d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
"C:\Users\Admin\AppData\Local\Temp\d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\AppData\Local\Temp\d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
"C:\Users\Admin\AppData\Local\Temp\d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
"C:\Users\Admin\AppData\Local\Temp\d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Users\Admin\AppData\Local\Temp\d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe
"C:\Users\Admin\AppData\Local\Temp\d2e79e3dab60680f7ae23b9e1ecda34c18b81b7f484311f0e9286d03d4b1282c.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\beastiality fetish sleeping .rar.exe
Filesize
1.1MB

MD5
0b9eeaa7aabc4b31ef14879dd6de1d85

SHA1
c98186033f10b8ee999b5a735d0745b907551026

SHA256
1caf41e89d5e4414257bb0bbe288a84f1a760c8f69ea8cbc7ce9e1ab06503c8a

SHA512
b6ec01ea5524198da33244b6415aa2b63d5c98b97fd08ac374f3c4f3a06c50e1ab8812e6c1aaf1ee3ccc429336513cf1fa0a26639b56c6f6800360058d5e24ee

Download Submit
memory/2036-183-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2172-184-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3636-143-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3636-185-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-204-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-213-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-186-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-187-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-194-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-208-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-182-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-217-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-221-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-225-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-229-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-233-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-237-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-241-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4832-245-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads