d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
Size

1.7MB
MD5

4688a6c9c48b21cfd1776b0379861574
SHA1

648c4c71c267175a57c2a1c49ff4b3d5797c227d
SHA256

d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab
SHA512

1541ce54a509c9d349abefe11882dbbad467c46673a2cb5867cd109a26f158428588fb91b450bc855076e10a06f446ba4d6e295341c9bdda5692028c5eff78b8
SSDEEP

49152:qu6Y15SotJZULQNy1n0oxcr6lT+lUp+2sfhjhHaWzOcC:q6XSq/CTl6lUpPYxFVO/

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 17 IoCs

resource	yara_rule
behavioral1/memory/2436-66-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2208-94-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2436-103-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/1384-104-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2208-105-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2208-110-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2208-113-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2208-116-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2208-121-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2208-124-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2208-127-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2208-130-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2208-133-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2208-136-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2208-139-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2208-142-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2208-145-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 20 IoCs

resource	yara_rule
behavioral1/memory/2208-0-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/files/0x0008000000013a46-5.dat	UPX
behavioral1/memory/2436-66-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/1384-90-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2208-94-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2436-103-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/1384-104-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2208-105-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2208-110-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2208-113-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2208-116-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2208-121-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2208-124-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2208-127-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2208-130-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2208-133-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2208-136-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2208-139-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2208-142-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral1/memory/2208-145-0x0000000000400000-0x000000000041C000-memory.dmp	UPX

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\J:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\W:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\A:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\H:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\I:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\T:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\Z:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\B:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\E:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\N:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\P:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\R:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\S:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\U:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\K:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\L:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\M:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\O:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\Q:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\V:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\X:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File opened (read-only)	\??\Y:	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\chinese trambling sleeping .avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\System32\DriverStore\Temp\kicking hot (!) .rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\SysWOW64\IME\shared\horse kicking licking vagina .zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\SysWOW64\FxsTmp\trambling trambling uncut ash .zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\SysWOW64\IME\shared\beast handjob [bangbus] granny (Christine).avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian fetish masturbation young .rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\SysWOW64\FxsTmp\porn masturbation femdom .zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\french horse lesbian ash (Kathrin,Sonja).avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\SysWOW64\config\systemprofile\japanese blowjob cum girls .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\cumshot blowjob [free] feet 50+ (Anniston).rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\spanish lesbian blowjob girls .rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\bukkake nude licking castration (Sonja,Karin).mpg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\action public lady (Melissa,Jade).avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\swedish handjob blowjob catfight sweet (Karin,Anniston).zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Program Files (x86)\Google\Temp\british lesbian hidden titts (Sarah,Samantha).zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Program Files (x86)\Google\Update\Download\fucking licking latex .mpg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\hardcore horse voyeur stockings .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\gang bang hardcore hidden granny .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Program Files\DVD Maker\Shared\tyrkish trambling animal big mature .avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\british gay lesbian hole upskirt .rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\french nude blowjob lesbian (Anniston,Sandy).mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sperm kicking several models YEâPSè& .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Program Files\Common Files\Microsoft Shared\indian sperm full movie bedroom .mpg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Program Files\Windows Journal\Templates\tyrkish porn big swallow .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\tyrkish gay handjob full movie .mpg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\nude [free] granny .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\gay voyeur nipples shower (Sonja).zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\chinese handjob sleeping beautyfull (Melissa).mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\chinese beast action full movie feet gorgeoushorny (Liz,Britney).zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\russian gay sleeping ejaculation .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\fetish [milf] balls (Samantha,Curtney).avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\xxx bukkake masturbation beautyfull .rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\spanish gang bang action [bangbus] boobs swallow (Sonja).zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\italian gay beastiality girls .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\swedish handjob handjob uncut fishy .rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\blowjob kicking uncut titts latex .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\InstallTemp\tyrkish animal uncut bedroom .rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\lesbian lesbian girly .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\japanese blowjob sperm [milf] (Britney).avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\japanese lesbian [bangbus] feet .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\malaysia cumshot horse voyeur glans ìï .mpg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\lesbian hot (!) gorgeoushorny (Sylvia).avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\kicking horse hot (!) lady .mpg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\french horse bukkake licking (Sonja).rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\canadian gang bang sleeping traffic .zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\nude gay voyeur young (Ashley,Jade).avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\canadian hardcore beast girls penetration .rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\brasilian lingerie xxx lesbian .avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\animal several models .avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\french xxx sperm hot (!) ìï .rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\black cumshot gang bang hot (!) legs .mpg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\cum porn licking .rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\brasilian gang bang [free] (Tatjana,Tatjana).avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\hardcore [bangbus] boobs circumcision .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\italian lesbian public bondage .rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\tyrkish lingerie voyeur granny (Samantha).mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\american kicking several models boobs .mpg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\german cumshot hot (!) traffic .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\kicking lesbian ash femdom .rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\blowjob hot (!) (Britney,Tatjana).mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\italian lingerie hot (!) legs latex (Melissa).rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\asian blowjob sleeping titts (Ashley).zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\canadian cum girls (Liz,Sonja).avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\Downloaded Program Files\french bukkake lesbian public (Jenna).rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\canadian kicking masturbation YEâPSè& .zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\cumshot bukkake public boobs .zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\russian gang bang masturbation .avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\brasilian beast full movie stockings .mpg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\danish beast public fishy (Anniston,Tatjana).avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\american lesbian sperm hidden feet high heels .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\italian beastiality licking vagina (Melissa,Tatjana).mpg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\french nude hot (!) boots .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\japanese gay action public cock .avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\japanese nude licking young (Janette).avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\blowjob big (Karin).mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\russian beast cum public .zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\kicking several models boobs bedroom (Sonja).rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\beast gang bang licking upskirt .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\japanese blowjob nude uncut high heels (Samantha,Christine).mpg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\kicking fetish hot (!) bedroom .avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\beastiality lesbian glans (Sarah,Britney).mpg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\brasilian horse [milf] .zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\malaysia horse uncut .avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\trambling uncut glans .zip.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\brasilian lesbian sperm big leather .avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\animal fucking [milf] upskirt .mpeg.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\norwegian gang bang voyeur beautyfull (Liz,Sarah).rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\brasilian blowjob action [milf] beautyfull (Melissa,Christine).rar.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\norwegian bukkake sperm several models .avi.exe	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
1384	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2436	2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe	28
PID 2208 wrote to memory of 2436	2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe	28
PID 2208 wrote to memory of 2436	2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe	28
PID 2208 wrote to memory of 2436	2208	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe	28
PID 2436 wrote to memory of 1384	2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe	29
PID 2436 wrote to memory of 1384	2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe	29
PID 2436 wrote to memory of 1384	2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe	29
PID 2436 wrote to memory of 1384	2436	d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe	29

C:\Users\Admin\AppData\Local\Temp\d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
"C:\Users\Admin\AppData\Local\Temp\d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
  "C:\Users\Admin\AppData\Local\Temp\d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe
    "C:\Users\Admin\AppData\Local\Temp\d2d9ae6e3b2e7e83ffe3dc4e2c8a0d1fac17dc28b7a1f6c9f8deea7923ac28ab.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\bukkake nude licking castration (Sonja,Karin).mpg.exe

Filesize
1.6MB

MD5
347f1da8ff8e98213cf9276952c6e089

SHA1
b35a45257f9db5703ec3ecc7899be5f76cfc050c

SHA256
c23bf6d052467c365ca563b051ef3ba0a69534272ffb38f83cb5de5087523eb8

SHA512
38010117453c8c4d5860cf16d530b5f4836f15c5c6535e2bc35321f43a0ff78221087b239d5af7643fbedfe547c29eb4c75f8cd171931ecb43717eaad064b8f0

Download Submit
memory/1384-90-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1384-104-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-110-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-116-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-145-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-94-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-142-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-139-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-105-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-108-0x0000000004980000-0x000000000499C000-memory.dmp

Filesize
112KB

Download
memory/2208-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-113-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-65-0x0000000004980000-0x000000000499C000-memory.dmp

Filesize
112KB

Download
memory/2208-121-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-124-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-127-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-130-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2208-133-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2436-109-0x0000000002140000-0x000000000215C000-memory.dmp

Filesize
112KB

Download
memory/2436-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2436-103-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2436-89-0x0000000002140000-0x000000000215C000-memory.dmp

Filesize
112KB

Download