22606d6d601e0fae177553f6b343c5b1605ea0cbff5da7dacb2289ccaaf1bebe

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/01/2024, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

635a54f6e734b823ec8e64b3bfbf26db.exe
Size

208KB
MD5

635a54f6e734b823ec8e64b3bfbf26db
SHA1

e66f8daa93c55ab0ec664161772e450f14180ff6
SHA256

22606d6d601e0fae177553f6b343c5b1605ea0cbff5da7dacb2289ccaaf1bebe
SHA512

3db0f56a5d4bf8cd403db51173688e4bde5430ef09e430a0b50fe8699ba5f6a5360ffa881f5883f409884dc4e5ba0218f9b38c9b22dbad8bdf0b225f03712e8c
SSDEEP

6144:lybCZmNOIxs3NBBxn5YtkbdTf7ZUPrnNz:lyTi9BR3RTf7WPd

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	635a54f6e734b823ec8e64b3bfbf26db.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	635a54f6e734b823ec8e64b3bfbf26db.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	635a54f6e734b823ec8e64b3bfbf26db.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\E:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\J:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\Q:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\T:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\V:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\L:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\M:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\X:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\Z:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\B:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\K:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\N:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\P:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\R:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\U:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\Y:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\G:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\H:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\I:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\O:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\S:	635a54f6e734b823ec8e64b3bfbf26db.exe
File opened (read-only)	\??\W:	635a54f6e734b823ec8e64b3bfbf26db.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\japanese porn lingerie [bangbus] feet girly .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian fetish beast hot (!) cock mature .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\SysWOW64\FxsTmp\brasilian horse fucking several models .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\fucking sleeping titts .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\horse several models blondie .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\System32\DriverStore\Temp\brasilian nude fucking lesbian (Sarah).mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\SysWOW64\FxsTmp\canadian xxx masturbation glans .zip.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\SysWOW64\IME\SHARED\sperm several models circumcision .mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\japanese animal hardcore [milf] hole .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\SysWOW64\IME\SHARED\american horse hardcore several models (Jade).zip.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\sperm hidden 40+ .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\SysWOW64\config\systemprofile\american horse lesbian [free] glans (Britney,Melissa).mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\indian beastiality bukkake hidden .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\russian kicking gay voyeur .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\black fetish hardcore public high heels .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files (x86)\Microsoft\Temp\japanese porn gay licking (Jade).zip.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files\Microsoft Office\root\Templates\beast masturbation titts .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\blowjob hot (!) (Janette).mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\japanese fetish xxx [milf] .avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\tyrkish horse gay several models shoes .avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\russian kicking bukkake [free] (Karin).avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files (x86)\Google\Update\Download\danish fetish xxx public titts bondage (Samantha).rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU832A.tmp\sperm [bangbus] titts (Christine,Melissa).avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\xxx masturbation .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files\dotnet\shared\tyrkish handjob bukkake several models hole hotel (Liz).mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\trambling several models (Tatjana).avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\gay [free] beautyfull .mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\hardcore licking cock .zip.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\brasilian cum bukkake voyeur titts .mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files (x86)\Google\Temp\gay voyeur feet high heels .avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\danish beastiality lingerie hidden glans pregnant (Karin).mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\french sperm uncut lady (Anniston,Sarah).mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\fetish hardcore girls feet blondie (Melissa).avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\brasilian gang bang fucking lesbian ash (Anniston,Samantha).mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\action blowjob uncut feet .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\danish gang bang hardcore licking boots .avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\indian action blowjob [milf] 50+ .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\beast full movie .mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\beast girls .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\norwegian blowjob licking cock (Christine,Karin).mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\italian cum beast sleeping cock mistress .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\spanish horse [bangbus] glans beautyfull .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\malaysia blowjob girls cock sm .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\lesbian [bangbus] cock high heels .mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\beastiality trambling public titts (Anniston,Tatjana).mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\hardcore public cock .avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\tyrkish cumshot beast [milf] titts granny (Sarah).mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\trambling catfight glans granny .avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\american fetish sperm full movie .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\swedish animal horse catfight redhair .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\brasilian nude horse girls titts .zip.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\african beast full movie .zip.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\tyrkish animal gay [milf] femdom (Sonja,Curtney).rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\french lesbian hot (!) glans femdom .avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\cum bukkake girls hairy .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\japanese beastiality xxx uncut hole .mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\asian beast full movie girly (Sandy,Tatjana).rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\tyrkish cum fucking [milf] sweet .avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\american animal blowjob several models titts shoes .avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\asian trambling big hole bedroom .avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\sperm masturbation glans ash (Curtney).mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\tyrkish animal blowjob [free] (Sylvia).mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\american nude xxx licking (Sarah).zip.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\french lesbian [free] .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\african gay masturbation feet redhair .avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\german horse uncut feet granny .zip.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\bukkake several models cock .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\swedish nude fucking big swallow .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\brasilian action bukkake [milf] feet wifey (Tatjana).zip.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\russian gang bang blowjob [milf] cock castration (Liz).rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\CbsTemp\danish animal fucking hidden upskirt .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\handjob hardcore [milf] .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\nude lesbian hidden titts .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\fucking hidden glans granny .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\lesbian girls bedroom .mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\hardcore full movie pregnant (Sandy,Sylvia).mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\african trambling public .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\black porn gay masturbation feet femdom (Sylvia).zip.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\horse [milf] Ôï .mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\tyrkish fetish sperm hot (!) .zip.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\american kicking trambling [free] (Samantha).rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\malaysia xxx several models traffic .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\mssrv.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\porn gay several models glans .avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\xxx lesbian high heels .zip.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\american action hardcore girls feet stockings .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\fetish blowjob [milf] hole gorgeoushorny (Melissa).mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\japanese action fucking big (Jade).mpg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\chinese fucking [bangbus] cock high heels (Janette).zip.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\african gay lesbian sm (Gina,Tatjana).avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\malaysia blowjob big .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\danish porn horse sleeping hotel .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\horse [bangbus] cock .mpeg.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\horse public feet upskirt (Curtney).avi.exe	635a54f6e734b823ec8e64b3bfbf26db.exe
File created	C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\gang bang trambling hot (!) cock castration .rar.exe	635a54f6e734b823ec8e64b3bfbf26db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
4976	635a54f6e734b823ec8e64b3bfbf26db.exe
4976	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
4976	635a54f6e734b823ec8e64b3bfbf26db.exe
4976	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
4976	635a54f6e734b823ec8e64b3bfbf26db.exe
4976	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
4976	635a54f6e734b823ec8e64b3bfbf26db.exe
4976	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
4976	635a54f6e734b823ec8e64b3bfbf26db.exe
4976	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
4976	635a54f6e734b823ec8e64b3bfbf26db.exe
4976	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
4976	635a54f6e734b823ec8e64b3bfbf26db.exe
4976	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1116	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1364	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe
1652	635a54f6e734b823ec8e64b3bfbf26db.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1364	1116	635a54f6e734b823ec8e64b3bfbf26db.exe	90
PID 1116 wrote to memory of 1364	1116	635a54f6e734b823ec8e64b3bfbf26db.exe	90
PID 1116 wrote to memory of 1364	1116	635a54f6e734b823ec8e64b3bfbf26db.exe	90
PID 1364 wrote to memory of 1652	1364	635a54f6e734b823ec8e64b3bfbf26db.exe	91
PID 1364 wrote to memory of 1652	1364	635a54f6e734b823ec8e64b3bfbf26db.exe	91
PID 1364 wrote to memory of 1652	1364	635a54f6e734b823ec8e64b3bfbf26db.exe	91
PID 1116 wrote to memory of 4976	1116	635a54f6e734b823ec8e64b3bfbf26db.exe	92
PID 1116 wrote to memory of 4976	1116	635a54f6e734b823ec8e64b3bfbf26db.exe	92
PID 1116 wrote to memory of 4976	1116	635a54f6e734b823ec8e64b3bfbf26db.exe	92

C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe
"C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe
  "C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe
    "C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1652
- C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe
  "C:\Users\Admin\AppData\Local\Temp\635a54f6e734b823ec8e64b3bfbf26db.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\trambling several models (Tatjana).avi.exe

Filesize
1.4MB

MD5
64711f87dbf44eb7b032f5d898f24033

SHA1
4fe21e8b7945951e1e077a13c1a972f35d586832

SHA256
b81eb15f4be913d6b8541492275d4b1db94b43a7decdcd68f84e1e70117c5d2d

SHA512
d069293c135ca1a37fb210b93e0c2a6bc7cfb1e5d792d5767be58cc99a9d73162459acad79b2b333de3e3447495183d337f9064ca47558612f9e7827ad6c8810

Download Submit
memory/1116-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1652-154-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4976-155-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download