0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803

General

Target

0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
Size

1.6MB
MD5

bcefd26185cbc4ab0b9525652972913a
SHA1

b2ceebe0a27abda967309b25d9b103698db40fca
SHA256

0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803
SHA512

7f0193ccce0f796b7eecc942d3661aecfaaf4c14d56782a0ec7a904a83584ea3a56ae0d0c9b3b5f93b71fc88f0bfe3231ed5af7e73f988fd2c6149634d54bbdd
SSDEEP

24576:VYgK84mc3oQNtuGKJneIez3s+5OHOY+1WFfjchp33CVZsH1jelgS4AhKjiCq:in8zQKneI43958O71WGSVZsHggSHKj6

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2036-92-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2488-95-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2228-104-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2036-105-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2036-109-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2036-115-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2036-123-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2036-126-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2036-132-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2036-138-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2036-144-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2036-0-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian trambling hidden .mpg.exe	UPX
behavioral1/memory/2036-65-0x0000000004B70000-0x0000000004B8E000-memory.dmp	UPX
behavioral1/memory/2488-66-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2228-90-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2036-92-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2488-95-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2228-104-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2036-105-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2036-109-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2036-115-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2036-123-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2036-126-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2036-132-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2036-138-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2036-144-0x0000000000400000-0x000000000041E000-memory.dmp	UPX

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2036-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian trambling hidden .mpg.exe	upx
behavioral1/memory/2036-65-0x0000000004B70000-0x0000000004B8E000-memory.dmp	upx
behavioral1/memory/2488-66-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2228-90-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2036-92-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2488-95-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2228-104-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2036-105-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2036-109-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2036-115-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2036-123-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2036-126-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2036-132-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2036-138-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2036-144-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe

description	ioc	process
File opened (read-only)	\??\O:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\R:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\U:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\V:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\G:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\J:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\L:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\S:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\W:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\B:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\I:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\P:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\Y:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\Z:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\H:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\N:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\K:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\M:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\Q:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\T:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\X:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\A:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File opened (read-only)	\??\E:	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe

Drops file in System32 directory 10 IoCs

Processes:

0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\horse horse [milf] wifey .mpg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\spanish animal several models .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\SysWOW64\FxsTmp\horse fetish [milf] .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\SysWOW64\IME\shared\russian trambling uncut glans (Sonja,Christine).avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish gang bang [bangbus] stockings .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian beast [bangbus] feet .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\System32\DriverStore\Temp\swedish handjob trambling [free] ash .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\black action fucking full movie young .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\SysWOW64\FxsTmp\french fucking kicking sleeping .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\SysWOW64\IME\shared\canadian porn action [milf] .avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe

Drops file in Program Files directory 15 IoCs

Processes:

0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\african horse sleeping legs ìï (Tatjana).rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Program Files (x86)\Google\Temp\swedish action public shoes .avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\russian horse trambling full movie girly (Tatjana).avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Program Files\Common Files\Microsoft Shared\black horse gang bang sleeping .mpg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Program Files\DVD Maker\Shared\indian fucking trambling several models titts (Sarah).mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Program Files (x86)\Google\Update\Download\lesbian xxx hidden traffic .rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\bukkake [free] legs balls (Liz,Liz).mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\german beastiality hardcore sleeping feet fishy (Melissa,Liz).avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\spanish gang bang voyeur nipples mistress (Kathrin,Christine).rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Program Files\Windows Journal\Templates\american fetish porn catfight cock .rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\cum hardcore girls granny .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\swedish sperm cum big cock bedroom .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian trambling hidden .mpg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\nude horse masturbation beautyfull .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\gang bang cumshot uncut penetration .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe

Drops file in Windows directory 64 IoCs

Processes:

0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\russian blowjob [free] 40+ (Sonja,Jade).zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\horse [milf] glans high heels .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\horse action girls legs beautyfull (Sonja,Tatjana).mpg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\swedish cumshot horse [bangbus] (Jade,Christine).avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\danish trambling several models castration .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\black cumshot kicking girls .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\brasilian porn fucking sleeping (Sylvia).mpg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\italian animal horse girls legs ejaculation .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\cum [free] feet gorgeoushorny (Jenna).zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\chinese trambling full movie latex .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\danish cum action hidden boots (Samantha,Britney).mpg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\african gang bang voyeur .rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\nude [free] (Sarah,Samantha).avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\british gay lesbian bondage (Curtney,Sylvia).mpg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\indian lingerie sperm big traffic .avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\Temp\blowjob beastiality public .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\tyrkish horse sleeping gorgeoushorny .avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\swedish porn bukkake masturbation feet (Tatjana).zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\porn sleeping ash .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\spanish trambling xxx full movie redhair (Liz).rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\italian bukkake catfight titts .mpg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\french trambling hidden cock ìï .avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\lesbian lesbian sleeping 40+ (Jenna).mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\hardcore horse licking blondie .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\canadian gay gay lesbian mistress .avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\brasilian blowjob licking .rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\bukkake fucking [bangbus] sm .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\british porn cum masturbation legs penetration (Curtney).mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\cumshot several models feet castration (Jade,Melissa).rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\tyrkish gang bang girls boobs beautyfull .avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\fetish porn licking glans .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\nude [free] feet leather .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\lingerie full movie 50+ .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\mssrv.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\Downloaded Program Files\beast public nipples 40+ (Sonja,Britney).avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\norwegian porn gay hidden hole (Jenna).zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\cumshot bukkake hidden titts .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\african action sleeping glans girly (Britney,Gina).mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\cum [free] mistress .avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\nude porn big .avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\spanish beast sleeping bondage .rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\lingerie fetish several models boobs .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\beastiality gang bang hot (!) .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\tyrkish kicking masturbation penetration (Samantha,Jade).mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\gay hidden legs gorgeoushorny .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\assembly\tmp\canadian gang bang hardcore sleeping .rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\PLA\Templates\swedish action gay girls .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\bukkake horse uncut (Sarah,Christine).rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\french beastiality fucking masturbation traffic (Liz).rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\SoftwareDistribution\Download\norwegian beast masturbation .rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\fucking several models fishy .rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\asian kicking nude [milf] titts .mpg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\italian beast uncut nipples pregnant (Sonja,Karin).rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\action cum voyeur boobs latex .rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\hardcore horse hot (!) gorgeoushorny .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\norwegian xxx beastiality public lady .avi.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\action gay big bedroom .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\swedish trambling sperm lesbian (Ashley).mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\fetish gay big boobs .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\italian cumshot trambling hot (!) (Sylvia).zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\danish blowjob hidden wifey (Anniston).mpg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\norwegian nude voyeur young .zip.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\german trambling hot (!) vagina .mpeg.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\porn fucking several models sm .rar.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe

pid	process
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
2228	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe

description	pid	process	target process
PID 2036 wrote to memory of 2488	2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
PID 2036 wrote to memory of 2488	2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
PID 2036 wrote to memory of 2488	2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
PID 2036 wrote to memory of 2488	2036	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
PID 2488 wrote to memory of 2228	2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
PID 2488 wrote to memory of 2228	2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
PID 2488 wrote to memory of 2228	2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
PID 2488 wrote to memory of 2228	2488	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe	0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe

C:\Users\Admin\AppData\Local\Temp\0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
"C:\Users\Admin\AppData\Local\Temp\0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Local\Temp\0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
"C:\Users\Admin\AppData\Local\Temp\0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Local\Temp\0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe
"C:\Users\Admin\AppData\Local\Temp\0c5c5eaf9f6b807bb514135d3f3b70de847b12f52fe36d97b9349e291bdbf803.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian trambling hidden .mpg.exe
Filesize
1.0MB

MD5
8dcec2c2cec03e3a1ae5cbea85d1442c

SHA1
af394332e87831ca9f639c22be3e9bbfa72bab71

SHA256
96eeeaf341448cb75990d3659f05cc9443700953366baa6513f9e955ccf0f365

SHA512
e970601c12f63cdd68ec8749c6e3c790821162c2dcc32336419032cf6fa084b5db85471b75a44c3184900cafaa47e6de539599a638a12c0478a5fef9e3f825c7

Download Submit
C:\debug.txt
Filesize
183B

MD5
775ae00f8d5edfd628c0eb9c1f49ed1e

SHA1
712a4c77067ff9e09ece4668383d37e46f869666

SHA256
7c3fc79365d6e544574964b9bf824bdb7528a07b650c2819221fcf37adbe2a67

SHA512
c6840fe09a8182357b0bd75fe3c9165ea45e056ec1e880de0db0ff8b6aaed28813f96fa66bf26bdd0f458978d60c57643befd0402b3375d45ed1e4bbf6ecff64

Download Submit
memory/2036-109-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2036-126-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2036-144-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2036-92-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2036-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2036-65-0x0000000004B70000-0x0000000004B8E000-memory.dmp

Filesize
120KB

Download
memory/2036-105-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2036-132-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2036-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2036-115-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2036-123-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2228-90-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2228-104-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2488-95-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2488-108-0x0000000004580000-0x000000000459E000-memory.dmp

Filesize
120KB

Download
memory/2488-66-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2488-89-0x0000000004580000-0x000000000459E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads