d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
Size

97KB
MD5

a9d9113024886f82aadfa4988765ffa4
SHA1

65fe2a95c69931ed4e0c500e9d8372792860e1cd
SHA256

d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269
SHA512

3e79082e57cc87db7448fc6b59d2c301fb301cc42c89438c8fe6fce843d6905d0449a2ed74cb832c3da64dd64be292ed209faacc043c5c95f2a6cd887e081491
SSDEEP

1536:dVRVCaKgzbLc54hukfgvYnouy8jV1Ayj4m/QWR/RFN4g2BXGW+:dfjbLl/gvQouth1Tj4mYWR/REg2BX8

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 20 IoCs

resource	yara_rule
behavioral2/memory/2796-0-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4224-80-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2304-166-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-184-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2304-187-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2896-186-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-189-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-193-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-196-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-206-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-210-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-215-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-219-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-223-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-227-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-231-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-235-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-239-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-243-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2796-247-0x0000000000400000-0x000000000041D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 22 IoCs

resource	yara_rule
behavioral2/memory/2796-0-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/files/0x0031000000023bbd-5.dat	UPX
behavioral2/memory/4224-80-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2896-165-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2304-166-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-184-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2304-187-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2896-186-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-189-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-193-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-196-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-206-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-210-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-215-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-219-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-223-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-227-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-231-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-235-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-239-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-243-0x0000000000400000-0x000000000041D000-memory.dmp	UPX
behavioral2/memory/2796-247-0x0000000000400000-0x000000000041D000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2796-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/files/0x0031000000023bbd-5.dat	upx
behavioral2/memory/4224-80-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2896-165-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2304-166-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-184-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2304-187-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2896-186-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-189-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-193-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-196-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-206-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-210-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-215-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-219-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-223-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-227-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-231-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-235-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-239-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-243-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2796-247-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\E:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\O:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\P:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\R:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\H:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\J:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\S:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\T:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\V:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\W:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\Z:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\G:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\K:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\M:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\N:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\U:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\X:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\A:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\I:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\L:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\Q:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File opened (read-only)	\??\Y:	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\bukkake masturbation ¼ë .zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\sperm catfight cock shoes (Melissa).mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\xxx big wifey .avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\SysWOW64\FxsTmp\danish animal beast licking .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\SysWOW64\IME\SHARED\italian gang bang xxx masturbation latex .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black handjob lingerie [bangbus] hairy .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\SysWOW64\FxsTmp\indian cum hardcore [bangbus] titts traffic (Jade).mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\SysWOW64\IME\SHARED\lingerie hidden hole (Christine,Melissa).rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\fucking several models hole ¤ç .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\animal lingerie sleeping redhair (Britney,Jade).avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian gang bang xxx hidden glans circumcision .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\black kicking gay lesbian .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Updates\Download\gay hot (!) hole beautyfull (Liz).avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files (x86)\Google\Update\Download\danish cum lingerie voyeur (Jade).zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\fucking sleeping Ôï .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\brasilian cumshot horse licking beautyfull .mpg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\xxx [free] titts (Jenna,Karin).mpg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\horse voyeur titts .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\sperm public sweet .zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files\Microsoft Office\root\Templates\indian beastiality blowjob big hairy (Christine,Janette).mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\russian animal xxx voyeur feet fishy .avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\brasilian porn blowjob hidden young .mpg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\japanese cumshot sperm hot (!) titts .zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files\Common Files\microsoft shared\bukkake [free] hole boots (Jade).mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files\dotnet\shared\fucking licking titts .zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files (x86)\Google\Temp\russian gang bang lesbian sleeping swallow .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\tyrkish cum lesbian several models blondie .zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\black handjob hardcore uncut titts swallow .avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\danish kicking xxx sleeping (Liz).zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\swedish cumshot trambling lesbian cock .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\porn blowjob [free] hole .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\fucking uncut swallow .avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\fucking [bangbus] .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\xxx licking .mpg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\nude gay licking hole .avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\animal lingerie full movie beautyfull .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\sperm [milf] leather .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\malaysia bukkake [milf] beautyfull .avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\cum beast uncut .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\sperm public upskirt .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\japanese fetish lingerie hidden .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\porn lingerie uncut femdom .mpg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\blowjob masturbation ejaculation .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\swedish cum hardcore lesbian cock .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\british bukkake uncut feet shoes .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\american action beast catfight glans wifey (Melissa).mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\CbsTemp\swedish nude xxx voyeur glans .avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\italian action lingerie catfight gorgeoushorny .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\fetish xxx full movie glans mature .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\black fetish trambling catfight redhair .mpg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\italian horse hardcore masturbation glans hairy (Melissa).mpg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\hardcore voyeur 40+ .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\spanish fucking sleeping feet mature .zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\indian porn lesbian full movie gorgeoushorny .avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\indian nude sperm hot (!) mature .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\fucking hot (!) pregnant .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\african hardcore sleeping (Jade).rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\canadian fucking hot (!) upskirt .avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\african xxx sleeping fishy .zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\sperm sleeping titts .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\chinese horse voyeur hole .mpg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\italian cumshot gay [milf] stockings (Britney,Janette).mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\danish cum hardcore hot (!) hole bondage .zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\chinese gay sleeping bondage .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\sperm public feet balls (Janette).mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\italian cumshot xxx catfight 40+ .avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\african beast sleeping castration .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\chinese gay sleeping glans .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\bukkake several models upskirt (Ashley,Melissa).zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\black gang bang hardcore masturbation leather .mpg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\security\templates\blowjob sleeping glans .zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\african hardcore uncut cock upskirt (Curtney).mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\beastiality trambling catfight hairy .zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\canadian lingerie big girly .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\german blowjob catfight Ôï .avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\african bukkake hot (!) cock .zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\black handjob gay full movie hole .zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\russian horse beast masturbation beautyfull .mpg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\lesbian [free] .mpeg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\norwegian gay hot (!) titts .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\italian handjob horse [free] hole high heels .mpg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\tyrkish kicking beast [milf] cock (Gina,Liz).zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\chinese lesbian masturbation .zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\kicking sperm lesbian girly .mpg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\indian handjob xxx uncut hairy .zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\gang bang sperm hot (!) sweet .avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\danish beastiality horse sleeping fishy .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\swedish handjob fucking uncut (Karin).avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\xxx full movie cock ¼ë .avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\french sperm big leather .avi.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\malaysia xxx lesbian pregnant .mpg.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\norwegian fucking hot (!) latex .rar.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\gay masturbation feet hairy (Sylvia).zip.exe	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2304	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2304	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2304	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2304	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2304	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2304	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2304	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2304	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2304	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2304	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2304	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2304	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2304	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2304	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
2896	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 4224	2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe	87
PID 2796 wrote to memory of 4224	2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe	87
PID 2796 wrote to memory of 4224	2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe	87
PID 4224 wrote to memory of 2896	4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe	88
PID 4224 wrote to memory of 2896	4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe	88
PID 4224 wrote to memory of 2896	4224	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe	88
PID 2796 wrote to memory of 2304	2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe	89
PID 2796 wrote to memory of 2304	2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe	89
PID 2796 wrote to memory of 2304	2796	d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe	89

C:\Users\Admin\AppData\Local\Temp\d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
"C:\Users\Admin\AppData\Local\Temp\d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Local\Temp\d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
  "C:\Users\Admin\AppData\Local\Temp\d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Users\Admin\AppData\Local\Temp\d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
    "C:\Users\Admin\AppData\Local\Temp\d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2896
- C:\Users\Admin\AppData\Local\Temp\d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe
  "C:\Users\Admin\AppData\Local\Temp\d34de2998fd536ac10b927a0beb00035b00c7dda5908468b96452fe188351269.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\horse voyeur titts .rar.exe

Filesize
2.0MB

MD5
e2b0d8fa9aadd9ef053a70632a38efbe

SHA1
ffb0240d0756f537568ca528b08c660f072a8dec

SHA256
902c8316d2e17e28b64d4700cc33961ec55cb7bf72f569655195d0d2f485fd18

SHA512
52862672905a4f7fc1ba59b3298e2af12a5bed88f93e9ec9033109a21878a162be6155e89d7f9da4ba9b587d28f6e760bfa6dff3427909319fa265abb9281172

Download Submit
memory/2304-166-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2304-187-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-196-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-210-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-184-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-247-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-243-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-189-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-193-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-206-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-239-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-215-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-219-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-223-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-227-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-231-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2796-235-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2896-165-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2896-186-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4224-80-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download