4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac

General

Target

4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
Size

293KB
MD5

6e702aa2906fd2794a236213be105658
SHA1

abf56f7b181e892f2e4464c3dada9271c8a76e26
SHA256

4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac
SHA512

a29e496fb5a7a1153006b82be8e0427aebb78b63d88a2f8ec95e0737f0694582523a74819c5c9c5c22a9007d5242a92c5c82e67d7748403e97ed150ed9fd2b3d
SSDEEP

6144:VjluQoSiIo5RLZX2HHIECXKpjmLo3tj02tgA5/DF6Ne9CYU5BgioMF:VEQoSm/ZmHo8mLKBuAVDY/jbgdMF

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/332-17-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1964-154-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/220-158-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4584-162-0x0000000000400000-0x000000000041F000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/332-0-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian fucking fucking public girly .avi.exe	UPX
behavioral2/memory/1964-11-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/220-13-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/4584-14-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/332-17-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/1964-154-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/220-158-0x0000000000400000-0x000000000041F000-memory.dmp	UPX
behavioral2/memory/4584-162-0x0000000000400000-0x000000000041F000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/332-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian fucking fucking public girly .avi.exe	upx
behavioral2/memory/1964-11-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/220-13-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4584-14-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/332-17-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1964-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/220-158-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4584-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

description	ioc	process
File opened (read-only)	\??\Z:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\H:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\Q:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\R:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\T:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\S:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\U:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\X:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\Y:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\G:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\K:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\L:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\N:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\P:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\W:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\E:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\I:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\J:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\O:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\A:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\B:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\M:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File opened (read-only)	\??\V:	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

Drops file in System32 directory 12 IoCs

Processes:

4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

description	ioc	process
File created	C:\Windows\SysWOW64\IME\SHARED\sperm sleeping leather .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\asian xxx sleeping glans .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\beastiality horse licking castration (Jade).mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\tyrkish cum big feet .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\SysWOW64\FxsTmp\french cum porn [free] 40+ (Janette).mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\SysWOW64\config\systemprofile\beastiality bukkake masturbation titts bedroom .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\System32\DriverStore\Temp\norwegian action masturbation .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\SysWOW64\FxsTmp\italian cumshot [free] .rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\black lingerie gay hot (!) glans 50+ .rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\SysWOW64\config\systemprofile\gay cumshot girls shower .rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\SysWOW64\IME\SHARED\swedish cum big .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\beast [free] .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

Drops file in Program Files directory 19 IoCs

Processes:

4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian fucking fucking public girly .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\black fetish lesbian boobs .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files (x86)\Google\Temp\japanese fetish animal [free] sweet .rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files (x86)\Microsoft\Temp\malaysia lingerie trambling lesbian feet hairy .rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files\Common Files\microsoft shared\trambling fucking public swallow .mpg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files\dotnet\shared\animal nude voyeur .mpg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\british horse cumshot public .mpg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\tyrkish gay lesbian uncut (Janette).mpg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\cum girls castration .rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\norwegian cumshot [bangbus] .mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\black horse fucking masturbation pregnant .mpg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\american cumshot handjob uncut .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files (x86)\Google\Update\Download\lesbian hidden cock (Sarah,Ashley).avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\spanish handjob licking .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files\Microsoft Office\root\Templates\british cumshot public feet .mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\tyrkish sperm gay hidden sweet .mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\xxx big castration .mpg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\swedish xxx [free] pregnant .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{A22979E4-D188-4AF0-A888-04FE21284B11}\EDGEMITMP_19EA3.tmp\danish bukkake bukkake girls beautyfull .mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

Drops file in Windows directory 64 IoCs

Processes:

4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

description	ioc	process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\spanish animal beast voyeur (Sonja,Anniston).avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\african nude fucking [milf] .rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\fucking cumshot masturbation Ôï .rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\british gang bang hidden bedroom (Britney).avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\african hardcore several models YEâPSè& (Jenna,Jade).avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\security\templates\norwegian horse gang bang licking upskirt .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\danish gay girls hotel (Britney,Karin).avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\bukkake lesbian boobs shoes (Ashley).mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\kicking girls 50+ .mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\beast masturbation blondie .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\malaysia porn sleeping (Jade,Sonja).rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\italian sperm hot (!) (Sandy,Melissa).rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\fetish xxx [milf] (Sandy).mpg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\blowjob gang bang uncut .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\british hardcore big shower .mpg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\fucking cum sleeping ash (Melissa).rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\lingerie [bangbus] hotel (Tatjana).zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\canadian beastiality [milf] boobs .rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\japanese horse [bangbus] .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\italian cumshot blowjob big high heels .rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\horse horse masturbation circumcision .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\blowjob fetish full movie femdom .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\asian lingerie hardcore masturbation ash (Kathrin,Janette).mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\black kicking uncut cock (Britney).zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\canadian bukkake fetish [milf] .mpg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\blowjob action sleeping penetration .mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\brasilian lesbian porn licking nipples .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\xxx uncut circumcision .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\japanese nude hardcore [bangbus] castration (Kathrin).rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\SoftwareDistribution\Download\blowjob beastiality big feet redhair .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\nude catfight sweet .mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\porn several models ash ash .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\german handjob gang bang masturbation pregnant (Samantha).rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\asian bukkake girls .mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\kicking bukkake sleeping .mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\action cumshot [bangbus] latex .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\italian lingerie cum uncut swallow .mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\canadian fucking horse [free] .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\assembly\tmp\indian horse uncut boobs swallow .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\fetish catfight granny .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\asian animal gang bang [milf] granny .mpg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\malaysia porn full movie 50+ .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\porn masturbation nipples .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\norwegian lingerie gang bang catfight upskirt .rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\xxx voyeur .mpg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\trambling catfight 40+ .mpg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\german cum hot (!) YEâPSè& .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\german animal trambling masturbation .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\african trambling sleeping nipples .zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\kicking uncut .mpg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\mssrv.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\InputMethod\SHARED\japanese lingerie masturbation .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\gang bang lesbian .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\bukkake xxx catfight vagina .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\hardcore blowjob girls feet .mpg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\gay kicking catfight 50+ (Jenna,Sonja).zip.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\indian gay uncut stockings .rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\fucking catfight upskirt .rar.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\african beastiality girls young (Sonja,Sylvia).avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\lingerie several models black hairunshaved .mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\german animal masturbation girly (Jade).mpeg.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\PLA\Templates\nude horse [milf] traffic .avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\beastiality hot (!) (Sonja,Janette).avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\chinese handjob trambling girls hotel (Sylvia).avi.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

pid	process
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
4584	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
4584	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
4584	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
4584	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
4584	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
4584	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
4584	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
4584	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
4584	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
4584	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
4584	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
4584	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
4584	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
4584	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
220	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

description	pid	process	target process
PID 332 wrote to memory of 1964	332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
PID 332 wrote to memory of 1964	332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
PID 332 wrote to memory of 1964	332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
PID 332 wrote to memory of 220	332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
PID 332 wrote to memory of 220	332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
PID 332 wrote to memory of 220	332	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
PID 1964 wrote to memory of 4584	1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
PID 1964 wrote to memory of 4584	1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
PID 1964 wrote to memory of 4584	1964	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe	4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe

C:\Users\Admin\AppData\Local\Temp\4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
"C:\Users\Admin\AppData\Local\Temp\4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
"C:\Users\Admin\AppData\Local\Temp\4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
"C:\Users\Admin\AppData\Local\Temp\4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4584

C:\Users\Admin\AppData\Local\Temp\4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe
"C:\Users\Admin\AppData\Local\Temp\4d242a0dfa7657a6844fd63477dc9d2a60d44deebceb14fb6d03a3a2bea04eac.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian fucking fucking public girly .avi.exe
Filesize
1.8MB

MD5
47c95277444a5744f278ac55e6c19e02

SHA1
f53398a1bb492d41d1091ffbc3094920c6b93063

SHA256
c78cefa745ad78d655e28b31898097001b01bc47828b3f9e5c0fdb8c0667e62d

SHA512
71d85e1f789f55159615f749725a5858121e07b325f7f8dc973db6667e07a9b673283518618b7263b154c38c07dc8ad2229be4ffb5a26e72e678416bc84234ef

Download Submit
memory/220-13-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/220-158-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/332-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/332-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-11-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4584-14-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4584-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads