7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac

General

Target

7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
Size

1.1MB
MD5

7a534ef2cecdf25929b6dac2ea11a751
SHA1

10cf8c504d4389af3b05f973ea7339538acf5994
SHA256

7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac
SHA512

e5f87b16dc5f463aca6fc8bf022f445bde88936e36c8e97a98b0fb131f5a9f7ad4ff812e7c7ed465777c383cec90aaa4fca5d51aa4493c97fd0377647738a4ee
SSDEEP

24576:t2IaWE2avgDij2+5flCSmr0JD6FDvIwz7TXThZaWSw:QIaW5G9ClamFc8TXTfaW9

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 19 IoCs

Processes:

resource	yara_rule
behavioral2/memory/216-0-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2652-99-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/540-166-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/216-185-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2652-186-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/540-188-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/5076-187-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/216-190-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/216-196-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/216-206-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/216-210-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/216-215-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/216-219-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/216-223-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/216-227-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/216-231-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/216-239-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/216-243-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/216-247-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 21 IoCs

Processes:

resource	yara_rule
behavioral2/memory/216-0-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\italian kicking lingerie big (Liz).rar.exe	UPX
behavioral2/memory/2652-99-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/5076-165-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/540-166-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/216-185-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2652-186-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/540-188-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/5076-187-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/216-190-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/216-196-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/216-206-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/216-210-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/216-215-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/216-219-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/216-223-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/216-227-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/216-231-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/216-239-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/216-243-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/216-247-0x0000000000400000-0x000000000041D000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/216-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\italian kicking lingerie big (Liz).rar.exe	upx
behavioral2/memory/2652-99-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/5076-165-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/540-166-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/216-185-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2652-186-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/540-188-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/5076-187-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/216-190-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/216-196-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/216-206-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/216-210-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/216-215-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/216-219-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/216-223-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/216-227-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/216-231-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/216-239-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/216-243-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/216-247-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

description	ioc	process
File opened (read-only)	\??\X:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\B:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\O:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\S:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\U:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\Q:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\W:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\G:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\H:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\K:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\M:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\R:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\Z:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\A:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\E:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\I:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\N:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\V:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\Y:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\J:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\L:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\P:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File opened (read-only)	\??\T:	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

Drops file in System32 directory 12 IoCs

Processes:

7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\blowjob full movie cock stockings .avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\System32\DriverStore\Temp\blowjob hidden feet .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\SysWOW64\FxsTmp\american handjob lingerie full movie (Karin).mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\japanese cum hardcore full movie .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish beastiality blowjob full movie feet boots (Jade).mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\SysWOW64\config\systemprofile\japanese action beast [milf] cock (Sonja,Liz).zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\american cum gay hot (!) granny (Gina,Jade).zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\SysWOW64\config\systemprofile\american kicking xxx catfight hole .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\SysWOW64\IME\SHARED\tyrkish kicking lesbian [milf] feet balls .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\black fetish bukkake [milf] hotel .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\SysWOW64\FxsTmp\swedish nude blowjob masturbation feet high heels (Jade).mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\SysWOW64\IME\SHARED\horse [bangbus] titts .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

Drops file in Program Files directory 19 IoCs

Processes:

7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\american cumshot blowjob full movie glans granny (Samantha).mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\fucking several models .mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\blowjob catfight swallow .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\italian kicking lingerie big (Liz).rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\bukkake voyeur titts .mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\kicking gay sleeping hole traffic (Samantha).zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files (x86)\Google\Temp\hardcore catfight upskirt (Ashley,Melissa).avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\hardcore uncut (Karin).zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU9848.tmp\blowjob uncut titts .avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files\Microsoft Office\root\Templates\swedish fetish lingerie several models titts sm .zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\danish handjob lingerie masturbation castration .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\lesbian sleeping ash .zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\fucking hot (!) hole .avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files\dotnet\shared\indian beastiality gay masturbation (Jade).avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\american fetish trambling [free] (Curtney).avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\xxx several models cock Œã .mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files (x86)\Google\Update\Download\danish gang bang hardcore uncut bondage .avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files (x86)\Microsoft\Temp\lingerie [milf] stockings .zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\danish animal blowjob catfight mature .avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

Drops file in Windows directory 64 IoCs

Processes:

7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

description	ioc	process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\norwegian beast [free] gorgeoushorny (Sonja,Jade).mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\gay catfight hairy .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\malaysia xxx masturbation cock .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\CbsTemp\horse catfight 40+ .mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\chinese bukkake public (Sylvia).avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\russian handjob gay sleeping .mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\malaysia trambling catfight glans girly .zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\spanish beast [bangbus] 40+ .zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\fetish trambling lesbian hole (Sonja,Karin).zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\african hardcore big fishy .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\nude trambling masturbation gorgeoushorny .avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\german fucking hot (!) .mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_21122d7205c6f5b9\african trambling [free] .mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\black handjob gay hidden Ôï .zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\german bukkake full movie .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\fetish lingerie catfight .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\horse bukkake lesbian blondie .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\action fucking hidden titts traffic .avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\horse gay [free] sweet .zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\japanese fetish horse licking feet high heels .mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\german hardcore girls Ôï (Christine,Melissa).rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\fetish trambling [bangbus] shower .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\cum blowjob full movie (Samantha).avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\InstallTemp\russian kicking beast licking .zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\spanish hardcore masturbation hole 40+ (Curtney).avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\danish cumshot hardcore masturbation .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\blowjob full movie pregnant .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\russian kicking fucking [free] redhair .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\american handjob bukkake [milf] hairy .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\indian action gay sleeping 40+ (Sonja,Sylvia).rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\black fetish xxx hot (!) upskirt .avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\beastiality fucking full movie YEâPSè& .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\lingerie [bangbus] circumcision .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\swedish beastiality xxx girls .zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\action blowjob several models glans high heels .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\italian kicking bukkake girls bondage .mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\bukkake big glans leather .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\british horse big cock leather .zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\sperm catfight leather .zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\spanish horse voyeur feet .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\cum beast hidden girly .mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\animal hardcore [bangbus] traffic .zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\danish cumshot sperm several models wifey .avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\handjob blowjob sleeping hole beautyfull (Sarah).mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\canadian hardcore masturbation feet fishy .zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\danish cum bukkake full movie hole .avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\german horse [bangbus] feet shower .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\indian cum xxx several models sm .avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\assembly\temp\russian nude xxx sleeping glans wifey .avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\american fetish xxx full movie (Karin).rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\russian beastiality sperm catfight pregnant .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\sperm voyeur wifey (Anniston,Karin).zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\nude beast hot (!) titts swallow .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\norwegian fucking licking black hairunshaved (Sonja,Karin).mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\chinese beast lesbian .mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\german trambling [milf] shoes .mpeg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\asian lesbian catfight (Sylvia).zip.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\beastiality sperm uncut titts .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\black horse lingerie masturbation cock circumcision .avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\danish gang bang lesbian full movie titts hairy .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\brasilian handjob blowjob catfight feet high heels .mpg.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\brasilian cumshot beast hidden glans castration (Melissa).avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\asian lesbian full movie .rar.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\fucking lesbian bondage (Kathrin,Sylvia).avi.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

pid	process
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
540	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
540	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
540	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
540	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
540	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
540	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
540	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
540	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
540	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
540	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
540	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
540	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
540	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
540	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
5076	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

description	pid	process	target process
PID 216 wrote to memory of 2652	216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
PID 216 wrote to memory of 2652	216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
PID 216 wrote to memory of 2652	216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
PID 2652 wrote to memory of 5076	2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
PID 2652 wrote to memory of 5076	2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
PID 2652 wrote to memory of 5076	2652	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
PID 216 wrote to memory of 540	216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
PID 216 wrote to memory of 540	216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
PID 216 wrote to memory of 540	216	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe	7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe

C:\Users\Admin\AppData\Local\Temp\7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
"C:\Users\Admin\AppData\Local\Temp\7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Local\Temp\7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
"C:\Users\Admin\AppData\Local\Temp\7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2652

C:\Users\Admin\AppData\Local\Temp\7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
"C:\Users\Admin\AppData\Local\Temp\7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5076

C:\Users\Admin\AppData\Local\Temp\7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe
"C:\Users\Admin\AppData\Local\Temp\7778e7c531eab90096c841dd23c00fca5fc06362787ebe6f6a0d93e2c54348ac.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\italian kicking lingerie big (Liz).rar.exe

Filesize
605KB

MD5
f44b484b1d515fffcc4585a8876ec996

SHA1
94f906138bc12a72090f1bf9c2551dee2ecaaf1a

SHA256
934620627bfd45b0dd665f3b76965afee0010aa1db9323b72a27e968fe65d861

SHA512
4805fe391522ba018b807e3323132b74b3f1bb2a579cc932a49af90790a459ff36c49def6b73e445db607b60c41e30612945f462abefc5580cfe9ca32860b51b

Download Submit
memory/216-196-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/216-219-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/216-190-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/216-243-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/216-185-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/216-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/216-231-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/216-206-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/216-247-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/216-239-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/216-227-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/216-210-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/216-215-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/216-223-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/540-188-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/540-166-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2652-99-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2652-186-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5076-187-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5076-165-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads