3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3

General

Target

3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
Size

1.6MB
MD5

d9e654ef2c44a3cb7f83bbe4480407b0
SHA1

0881342a31ca38c93b4e111e99933857799323b3
SHA256

3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3
SHA512

84214aa69a5d44290520791db3bec90271dda7bfaf4ca174403f788c4db07afea13cacac0f4b5fd1c8e537f968a5af4f3e22e66de3731518b9cd967736192a5f
SSDEEP

24576:VEj8TMgbMggOBdOiHQc8rY7XqoLxg+k1FiyxiLXMMoWn0Hp7cOIFM67sUkDozAPL:dTMgXdO9c/g+kriy4LX0HpwOIKoCzf

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4252-13-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/3040-14-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4696-49-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4252-113-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/5436-162-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3040-0-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\italian cum bukkake hidden hairy .mpg.exe	UPX
behavioral2/memory/4696-7-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/4252-13-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/5436-15-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/3040-14-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/4696-49-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/4252-113-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/5436-162-0x0000000000400000-0x000000000041F000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3040-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\italian cum bukkake hidden hairy .mpg.exe	upx
behavioral2/memory/4696-7-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4252-13-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5436-15-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3040-14-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4696-49-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4252-113-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5436-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

description	ioc	process
File opened (read-only)	\??\T:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\V:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\A:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\G:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\H:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\K:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\N:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\O:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\X:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\B:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\E:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\J:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\M:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\Q:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\Z:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\U:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\W:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\Y:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\I:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\L:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\P:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\R:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File opened (read-only)	\??\S:	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

Drops file in System32 directory 12 IoCs

Processes:

3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

description	ioc	process
File created	C:\Windows\SysWOW64\IME\SHARED\italian animal horse several models feet .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\sperm girls cock .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\SysWOW64\config\systemprofile\lingerie lesbian cock .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\SysWOW64\FxsTmp\lesbian hot (!) YEâPSè& .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\SysWOW64\IME\SHARED\bukkake voyeur titts balls .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\russian beastiality blowjob [milf] bedroom .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\SysWOW64\config\systemprofile\indian gang bang sperm licking hairy .mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\System32\DriverStore\Temp\brasilian handjob fucking licking cock swallow .mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\SysWOW64\FxsTmp\german xxx catfight cock .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\fucking full movie (Curtney).zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\fucking hidden .mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\japanese horse trambling hot (!) titts beautyfull (Tatjana).avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

Drops file in Program Files directory 19 IoCs

Processes:

3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\indian action hardcore voyeur penetration .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\italian handjob hardcore girls cock castration .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\russian cum horse voyeur stockings .mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\american animal fucking lesbian Ôï (Sonja,Sarah).mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files (x86)\Microsoft\Temp\black horse horse several models .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\american cum trambling lesbian cock bondage .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\italian cum bukkake hidden hairy .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\gay hidden feet boots (Karin).mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\horse lesbian feet blondie .zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{A22979E4-D188-4AF0-A888-04FE21284B11}\EDGEMITMP_19EA3.tmp\xxx full movie .zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files\dotnet\shared\black nude lesbian girls Ôï .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\indian handjob beast [milf] (Janette).mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\tyrkish gang bang bukkake sleeping hole traffic .mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\brasilian action horse hot (!) titts (Britney,Curtney).rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files (x86)\Google\Temp\german horse voyeur hotel .mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files (x86)\Google\Update\Download\swedish fetish trambling hidden redhair .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files\Microsoft Office\root\Templates\fucking full movie cock .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish kicking bukkake catfight cock .mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\lingerie uncut 50+ (Christine,Karin).avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

Drops file in Windows directory 64 IoCs

Processes:

3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

description	ioc	process
File created	C:\Windows\CbsTemp\tyrkish fetish trambling [bangbus] feet .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\SoftwareDistribution\Download\italian cum lingerie licking .mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\tyrkish horse xxx [free] cock traffic (Melissa).mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\sperm lesbian .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\japanese cum blowjob several models titts .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\asian beast hot (!) girly .mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\beastiality sperm [bangbus] cock bondage (Curtney).rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\assembly\temp\gay hidden sweet .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\swedish fetish xxx public sm .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\lingerie hidden wifey .zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\norwegian fucking sleeping (Melissa).zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\norwegian bukkake masturbation hole penetration .zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\canadian bukkake several models (Sylvia).zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\animal bukkake full movie young .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\indian handjob lesbian sleeping (Sylvia).rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\british sperm catfight cock traffic (Karin).avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\trambling licking titts castration (Karin).avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\german bukkake licking .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\chinese fucking hot (!) hotel (Kathrin,Karin).avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\gay uncut .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\black handjob trambling [bangbus] .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\gay public titts sm .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\trambling [free] titts .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\british lesbian girls cock boots (Jade).zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\action sperm voyeur feet circumcision .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\tyrkish nude beast lesbian titts sm .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\assembly\tmp\bukkake several models hole .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\cum hardcore public mistress .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..mon-sharedresources_31bf3856ad364e35_10.0.19041.1_none_5417ea1f38dbb76b\blowjob girls YEâPSè& (Christine,Janette).mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\kicking lingerie sleeping glans Ôï .zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\beast [bangbus] .mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\gang bang xxx public bondage .zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\trambling [milf] .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\british fucking girls YEâPSè& .zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\brasilian horse hardcore hot (!) hole 50+ (Karin).rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\tyrkish animal beast public hole .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\fetish sperm hot (!) .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\malaysia gay voyeur mistress .mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\beast voyeur black hairunshaved (Anniston,Samantha).rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\beastiality blowjob [bangbus] .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\malaysia beast several models .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\lesbian uncut titts wifey (Samantha).zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\spanish beast lesbian glans black hairunshaved .mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\norwegian horse licking (Sylvia).avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\handjob lesbian [milf] redhair .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\lingerie [bangbus] .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\lesbian sleeping beautyfull .zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\german lesbian public glans .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\norwegian lingerie hot (!) titts .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\sperm girls .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\malaysia lingerie voyeur beautyfull .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\spanish sperm catfight cock bondage .mpeg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\italian kicking bukkake lesbian feet .zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\lesbian public feet castration .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\black horse xxx girls traffic .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\Downloaded Program Files\danish kicking blowjob [free] 40+ .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\brasilian gang bang fucking several models feet .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\danish cum hardcore sleeping bedroom .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\horse catfight lady .rar.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\french blowjob hot (!) .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\british fucking public cock beautyfull (Liz).zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\french trambling uncut mistress .zip.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\lingerie lesbian cock .mpg.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\swedish action bukkake full movie hotel .avi.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

pid	process
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
5436	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
5436	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
5436	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
5436	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
5436	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
5436	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
5436	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
5436	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
5436	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
5436	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
5436	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
5436	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
5436	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
5436	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
4252	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

description	pid	process	target process
PID 3040 wrote to memory of 4696	3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
PID 3040 wrote to memory of 4696	3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
PID 3040 wrote to memory of 4696	3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
PID 3040 wrote to memory of 4252	3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
PID 3040 wrote to memory of 4252	3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
PID 3040 wrote to memory of 4252	3040	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
PID 4696 wrote to memory of 5436	4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
PID 4696 wrote to memory of 5436	4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
PID 4696 wrote to memory of 5436	4696	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe	3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe

C:\Users\Admin\AppData\Local\Temp\3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
"C:\Users\Admin\AppData\Local\Temp\3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
"C:\Users\Admin\AppData\Local\Temp\3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4696

C:\Users\Admin\AppData\Local\Temp\3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
"C:\Users\Admin\AppData\Local\Temp\3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5436

C:\Users\Admin\AppData\Local\Temp\3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe
"C:\Users\Admin\AppData\Local\Temp\3b40b1651ed9ceb80ed6ca004143400584600e10d64d628258351a83aa5d65a3.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3668 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\italian cum bukkake hidden hairy .mpg.exe
Filesize
1.2MB

MD5
694b4c4cb16867b57ef00214e16eef6a

SHA1
22c9992d32be51f88962c0a8d76ae92136d2a09c

SHA256
2b735c1ea39f607c83df5eeab4918111b6ccf949a61fa65ab9fea6105e1e74f4

SHA512
48b2fdaa18fc6b53ba91b804f4d35792c25065e11dedcf893ca2f60db511d563c4f0b8708a2c82946c707188b707583cbfea87cfa1d6fbd118f3ed8096f7623f

Download Submit
memory/3040-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3040-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4252-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4252-113-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4696-7-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4696-49-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5436-15-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5436-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads