335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0

General

Target

335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
Size

1.5MB
MD5

f7af8d38a00fcd947d8027ef7f0a390c
SHA1

a9ab160a680710288decd7ff7c7883e2edd87c95
SHA256

335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0
SHA512

85fc5791ec734632a81e090447581068796ede9e05b3dc7a5c476aaf99f78e2ea8cdb3de4dd0dbb7bb516516654abbd2f81999724a9e3015d634421baca436c3
SSDEEP

24576:bH9+it8wHVOzjbbt/KQdsRRsv07zhq2O0aXpivCD7VopgVC7I7EEFcxNh:joiVHAzjbZjsR5FoXpSCD7Igcx3

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1980-0-0x0000000000400000-0x0000000000429000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1980-0-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\chinese sperm sperm [bangbus] (Ashley,Sonja).mpeg.exe	UPX
behavioral2/memory/2608-45-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral2/memory/1860-155-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral2/memory/4736-154-0x0000000000400000-0x0000000000429000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1980-0-0x0000000000400000-0x0000000000429000-memory.dmp	upx
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\chinese sperm sperm [bangbus] (Ashley,Sonja).mpeg.exe	upx
behavioral2/memory/2608-45-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/1860-155-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4736-154-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

description	ioc	process
File opened (read-only)	\??\G:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\H:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\I:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\P:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\Q:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\U:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\V:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\X:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\B:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\K:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\R:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\T:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\A:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\M:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\N:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\Y:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\E:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\J:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\L:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\O:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\S:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\W:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File opened (read-only)	\??\Z:	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

Drops file in System32 directory 12 IoCs

Processes:

335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\Temp\canadian porn blowjob licking (Sandy).rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\SysWOW64\FxsTmp\animal fetish girls (Jade,Karin).mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\SysWOW64\IME\SHARED\horse girls nipples shower (Gina).zip.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\brasilian lingerie xxx [milf] wifey .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\chinese trambling action [milf] legs .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\russian handjob hot (!) nipples hotel .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\chinese blowjob porn several models fishy .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black gang bang girls circumcision .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\porn fetish [milf] .mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\danish nude kicking [free] .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\SysWOW64\FxsTmp\american animal hot (!) feet .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\SysWOW64\IME\SHARED\fetish beast uncut .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

Drops file in Program Files directory 18 IoCs

Processes:

335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\horse cum hidden .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\british porn animal [milf] black hairunshaved .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\russian horse lingerie [bangbus] .zip.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\black beast nude hot (!) vagina 40+ .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\german horse fucking big ejaculation .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files\Microsoft Office\root\Templates\swedish xxx horse voyeur beautyfull .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\chinese sperm sperm [bangbus] (Ashley,Sonja).mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\asian xxx animal masturbation black hairunshaved .zip.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\african trambling porn [free] nipples .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\action horse [milf] bedroom (Melissa).mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files (x86)\Google\Update\Download\japanese animal blowjob catfight titts .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files\dotnet\shared\chinese porn cum sleeping YEâPSè& .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\malaysia fucking full movie feet (Sonja,Kathrin).avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\cum kicking [milf] .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files\Common Files\microsoft shared\british horse masturbation penetration .mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\french nude beast [bangbus] (Sarah,Sonja).avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files (x86)\Google\Temp\malaysia hardcore big nipples black hairunshaved .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Program Files (x86)\Microsoft\Temp\tyrkish action masturbation balls .mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

Drops file in Windows directory 64 IoCs

Processes:

335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

description	ioc	process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\african beastiality gay several models redhair .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\american action cum several models .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\african hardcore sleeping YEâPSè& (Christine,Ashley).zip.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\malaysia lingerie trambling girls cock hotel .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\InputMethod\SHARED\xxx sperm full movie lady .mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\german hardcore horse [bangbus] ash .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\animal full movie vagina (Sandy,Samantha).mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\swedish lingerie full movie .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\blowjob big .zip.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\kicking fucking [bangbus] beautyfull .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\german trambling beast uncut ash castration .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\mssrv.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\cum gang bang public fishy .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\Temp\japanese lesbian sperm big mature .zip.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\gang bang xxx girls nipples femdom (Ashley,Britney).mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\swedish xxx fetish [milf] granny .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\danish blowjob [bangbus] bondage .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\black kicking full movie (Melissa,Gina).mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.746_none_822bf1ada1526fa8\fucking big Ôï .zip.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\african trambling xxx licking .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\lesbian girls .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\gang bang [milf] beautyfull .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\lesbian cumshot hot (!) .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\japanese kicking gay sleeping 50+ .mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\italian kicking kicking hot (!) cock granny .zip.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\cumshot action public cock mature .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\gay lesbian high heels .zip.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\norwegian cumshot several models swallow (Jenna).mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\norwegian horse horse licking hole boots .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\trambling sleeping .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\gay hot (!) traffic (Sonja).rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\russian blowjob [bangbus] young .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\cumshot big .mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\porn beast hidden glans .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\animal masturbation fishy (Liz,Ashley).avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\xxx masturbation .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\chinese fetish big (Curtney,Anniston).rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\canadian nude big bondage .mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\lingerie handjob uncut boobs hotel (Gina,Ashley).mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\lesbian big Ôï .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\sperm [bangbus] nipples leather .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\sperm uncut boots (Sonja,Kathrin).avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\lesbian [free] (Karin,Liz).mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\nude porn full movie beautyfull (Sandy).mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\blowjob fetish sleeping .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\gay action voyeur 40+ .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\malaysia horse licking fishy .mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\swedish nude trambling [milf] .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\norwegian nude gang bang voyeur (Ashley).mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\xxx big (Gina).zip.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\brasilian lingerie voyeur vagina balls .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\fucking lesbian boots .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\italian lesbian hidden ash girly .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\british horse hardcore [milf] black hairunshaved .zip.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\tyrkish handjob sperm uncut femdom (Sylvia,Ashley).mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\asian xxx horse public titts blondie .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\norwegian blowjob girls (Sarah).zip.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\indian gang bang voyeur penetration (Sarah,Tatjana).mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_en-us_8dd6053a0a5910eb\bukkake xxx [milf] .rar.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\beast [bangbus] sm .mpg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\gay cum lesbian YEâPSè& (Sonja,Ashley).zip.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\sperm catfight penetration .mpeg.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\porn masturbation hotel .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\russian handjob several models pregnant .avi.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

pid	process
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
4736	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
4736	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
4736	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
4736	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
4736	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
4736	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
4736	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
4736	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
4736	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
4736	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
4736	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
4736	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
4736	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
4736	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
1860	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

description	pid	process	target process
PID 1980 wrote to memory of 2608	1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
PID 1980 wrote to memory of 2608	1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
PID 1980 wrote to memory of 2608	1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
PID 2608 wrote to memory of 4736	2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
PID 2608 wrote to memory of 4736	2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
PID 2608 wrote to memory of 4736	2608	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
PID 1980 wrote to memory of 1860	1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
PID 1980 wrote to memory of 1860	1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
PID 1980 wrote to memory of 1860	1980	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe	335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe

C:\Users\Admin\AppData\Local\Temp\335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
"C:\Users\Admin\AppData\Local\Temp\335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
"C:\Users\Admin\AppData\Local\Temp\335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608

C:\Users\Admin\AppData\Local\Temp\335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
"C:\Users\Admin\AppData\Local\Temp\335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4736

C:\Users\Admin\AppData\Local\Temp\335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe
"C:\Users\Admin\AppData\Local\Temp\335d1a8ce4b55544720e2f5b6e9a9f3b5e09dc442986b37f8762f90de27568d0.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\chinese sperm sperm [bangbus] (Ashley,Sonja).mpeg.exe
Filesize
1.0MB

MD5
a3ecb8391adbf98a127eb03168fe5e52

SHA1
9965116ad6a5715b8282e305104a2033a3cb922a

SHA256
21a0c631724cd289d5856bf8d3ef1ad73673939bcf152212998557c6240babb8

SHA512
8ef6f02bc4b7b40a1c5984b124c76845a4b168a33e71032234361071be7095f73a758e4b2bba33cab4057ab38db0c51f3da473b73b8daaa4ef22f7cfe11e99b2

Download Submit
memory/1860-155-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1980-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2608-45-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4736-154-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads