0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6

Analysis

max time kernel
151s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2022, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
Size

282KB
MD5

79d8f57b339f3d54deb900892739a810
SHA1

ee6935ab0513a14a1ceaf817037240e8d7141fe5
SHA256

0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6
SHA512

b8c3592a6b75a59c189b6350c9fecefc5414de0188194d3f2944569234b73e192d9e1ea55bcb30a4a7b5d68309338c85dc196bd68dcb290a81d9084a3f5c0c62
SSDEEP

6144:zXC4vgmhbIxs3NBB0znIEMi1MMmIWnYtI1oumOWozS934TsVKxTWYnC4E+Dw2:zXCNi9BYIq9JI1VVzS9oTsYMYn+Sb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\B:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\H:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\Q:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\V:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\M:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\P:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\R:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\S:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\X:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\Z:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\T:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\U:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\E:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\G:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\I:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\K:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\N:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\O:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\W:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\Y:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\F:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\J:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File opened (read-only)	\??\L:	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogFiles\Fax\Incoming\american action hardcore voyeur .avi.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\brasilian action lesbian sleeping bedroom .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\SysWOW64\config\systemprofile\japanese action xxx hot (!) .avi.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\SysWOW64\IME\SHARED\fucking hidden castration (Kathrin,Melissa).mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\indian kicking lesbian uncut cock shoes (Liz).mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\SysWOW64\config\systemprofile\sperm licking swallow .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\System32\DriverStore\Temp\hardcore public cock ¼ë .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\SysWOW64\FxsTmp\nude hardcore licking glans circumcision (Curtney).avi.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\SysWOW64\IME\SHARED\fucking girls .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\italian gang bang fucking licking mature .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\SysWOW64\FxsTmp\brasilian porn blowjob [bangbus] glans bedroom .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\bukkake hot (!) titts stockings (Tatjana).zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\japanese kicking hardcore catfight hole fishy .mpeg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files\Microsoft Office\root\Templates\xxx licking penetration .zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\sperm big black hairunshaved .avi.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\horse several models glans penetration .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files (x86)\Google\Update\Download\blowjob uncut sweet .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\sperm uncut .zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\danish cumshot blowjob voyeur femdom .mpeg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\indian cumshot lingerie sleeping cock lady (Melissa).mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files (x86)\Microsoft\Temp\russian handjob sperm [bangbus] hole (Sonja,Karin).zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files (x86)\Google\Temp\brasilian beastiality xxx public cock boots (Janette).rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files\Common Files\microsoft shared\tyrkish cum blowjob lesbian .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\swedish action lesbian [free] balls .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\black gang bang sperm sleeping .mpeg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\sperm catfight Ôï .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\japanese animal sperm hidden .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\american handjob sperm girls (Samantha).avi.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\cum sperm big (Karin).mpeg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\indian porn xxx sleeping glans sm .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\handjob beast [bangbus] pregnant .mpeg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\black porn hardcore girls .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\italian cum gay public ash .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\american nude lesbian hot (!) .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\indian cum bukkake [milf] shower (Sandy,Liz).rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\german trambling girls cock YEâPSè& .zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\tyrkish animal beast [free] titts .zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\cumshot fucking uncut cock femdom (Jade).rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\malaysia gay licking shower (Gina,Curtney).rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\gay licking shower .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\brasilian animal hardcore public 50+ .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\french gay masturbation hole .avi.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\cumshot fucking [free] beautyfull .mpeg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\handjob fucking girls YEâPSè& .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\beastiality sperm [free] hole .mpeg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\danish kicking bukkake hot (!) glans (Kathrin,Curtney).rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\danish nude beast masturbation shoes .avi.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\xxx [bangbus] .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\black horse blowjob several models (Jade).rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\xxx [bangbus] stockings .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\chinese bukkake sleeping balls .avi.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\african trambling voyeur hairy .zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\spanish beast voyeur feet .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\malaysia blowjob several models boots .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\indian cumshot beast lesbian mistress .mpeg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\russian action lesbian hot (!) hole pregnant .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\german lingerie [bangbus] cock mistress (Liz).mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\chinese hardcore hidden (Sarah).zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\german fucking sleeping blondie .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\CbsTemp\sperm hot (!) (Janette).rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\german trambling catfight .mpeg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\black animal fucking big hotel .zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\norwegian hardcore full movie cock circumcision (Liz).rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\horse several models beautyfull .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\gang bang lingerie public .avi.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\swedish cumshot bukkake [bangbus] mature .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\russian cum fucking [free] glans 50+ .zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\indian cumshot xxx girls glans stockings .zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\fetish trambling uncut boots .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\lesbian [milf] glans circumcision (Tatjana).zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\russian action trambling masturbation feet .zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\Downloaded Program Files\tyrkish cum beast girls .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\chinese fucking hidden black hairunshaved .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\handjob fucking voyeur titts blondie .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\tyrkish gang bang horse public feet ejaculation .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\brasilian porn lingerie voyeur glans gorgeoushorny .zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\asian fucking [milf] glans .mpeg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\chinese lingerie girls hole ejaculation .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\spanish beast licking hole circumcision (Curtney).avi.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\beastiality fucking sleeping balls .avi.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\PLA\Templates\danish animal hardcore girls (Curtney).zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\lingerie big bondage .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\norwegian trambling uncut traffic .mpeg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\french bukkake sleeping .avi.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\japanese handjob lingerie girls ¤ç .mpg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\asian trambling [milf] feet penetration .mpeg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\swedish nude blowjob voyeur glans .avi.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\brasilian fetish gay full movie feet .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\gang bang horse [bangbus] .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\swedish animal horse [milf] titts lady .zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\gay big glans .mpeg.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\british blowjob hot (!) cock .zip.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_b201c2e68d8dbc0d\danish action beast full movie hole leather .rar.exe	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
3456	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
3456	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
3456	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
3456	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
3456	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
3456	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
3456	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
3456	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
3456	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
3456	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
3456	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
3456	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
3456	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
3456	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
4640	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 416	4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe	82
PID 4796 wrote to memory of 416	4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe	82
PID 4796 wrote to memory of 416	4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe	82
PID 4796 wrote to memory of 4640	4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe	83
PID 4796 wrote to memory of 4640	4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe	83
PID 4796 wrote to memory of 4640	4796	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe	83
PID 416 wrote to memory of 3456	416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe	84
PID 416 wrote to memory of 3456	416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe	84
PID 416 wrote to memory of 3456	416	0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe	84

C:\Users\Admin\AppData\Local\Temp\0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
"C:\Users\Admin\AppData\Local\Temp\0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
  "C:\Users\Admin\AppData\Local\Temp\0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Users\Admin\AppData\Local\Temp\0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
    "C:\Users\Admin\AppData\Local\Temp\0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3456
- C:\Users\Admin\AppData\Local\Temp\0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe
  "C:\Users\Admin\AppData\Local\Temp\0044da03380e1e26f141ff01e239ec517f8acb2f3fa879ac8a7b8601c085c1b6.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads