4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 21:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
Size

1.1MB
MD5

df6ec9a5cb5a94951e5d826d38099e41
SHA1

59839c0cce78895fb4285efcf28a717d9c4d71cf
SHA256

4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65
SHA512

3e81c0d1d2d8ccb04092b00207638d172dea4b7c6ed2695b3274561f54b8d9209c4286e7bfc511b972606d3feff0fd451a2b72b206c581c3fe45a84c461f4151
SSDEEP

24576:86m7F02/35nVAsNzcjw6IvZckjkzLSj0G2ZTrHZSymtoI5QJ:5cr/pVuiD8j7wo

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023203-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\Q:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\Y:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\T:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\W:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\B:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\J:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\O:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\L:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\U:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\X:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\Z:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\A:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\H:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\K:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\N:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\P:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\R:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\S:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\V:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\E:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\G:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File opened (read-only)	\??\I:	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\blowjob girls latex .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\SysWOW64\IME\SHARED\russian porn beast catfight shower .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\beast public (Sylvia).avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\blowjob catfight feet ejaculation .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\SysWOW64\FxsTmp\russian gang bang blowjob public hole bondage .rar.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\SysWOW64\IME\SHARED\black horse sperm voyeur .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\japanese beastiality bukkake public (Liz).mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\SysWOW64\config\systemprofile\swedish kicking trambling several models feet young .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\italian nude lingerie [bangbus] circumcision .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\bukkake big (Janette).avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\SysWOW64\config\systemprofile\brasilian porn trambling hidden (Melissa).rar.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish gang bang gay [milf] (Samantha).avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\tyrkish kicking fucking voyeur sm .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\japanese fetish blowjob masturbation glans black hairunshaved (Samantha).rar.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files (x86)\Microsoft\Temp\tyrkish animal horse licking cock .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files\Common Files\microsoft shared\indian nude sperm hot (!) hole Ôï .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files\Microsoft Office\root\Templates\american porn beast masturbation titts 50+ (Sarah).zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\japanese animal bukkake hidden mature .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\black gang bang gay several models cock .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files (x86)\Google\Update\Download\black gang bang horse licking latex .rar.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\american animal fucking catfight .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files\dotnet\shared\kicking xxx public .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\italian cumshot xxx catfight hotel .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\brasilian kicking trambling catfight glans penetration (Karin).rar.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\swedish cumshot horse masturbation sm .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\danish cum lesbian public .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files (x86)\Google\Temp\swedish porn sperm licking feet sweet (Jade).avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\italian kicking gay voyeur .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\italian cum fucking several models cock .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\tyrkish nude xxx full movie high heels .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\xxx several models .rar.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\gang bang hardcore lesbian Ôï .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\gay public penetration .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\german lesbian hot (!) hole .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\bukkake public penetration .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\xxx [free] shoes .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\canadian fucking catfight titts mature .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\danish nude blowjob public feet redhair .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\horse horse hidden 50+ .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\german horse public sm .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\italian kicking lingerie catfight feet .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\beastiality hardcore hidden cock .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\hardcore uncut cock .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\spanish bukkake [milf] feet .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\black nude trambling catfight cock beautyfull (Janette).avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\tyrkish cumshot sperm hot (!) upskirt .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\american cum horse full movie upskirt .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\horse trambling girls glans .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\indian gang bang horse big granny .rar.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\russian cum sperm full movie cock traffic .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\InstallTemp\bukkake hot (!) hole .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\canadian hardcore masturbation .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\mssrv.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\action blowjob uncut glans sweet .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\porn horse several models girly .rar.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\spanish sperm lesbian cock traffic .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\blowjob masturbation .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\beast licking (Tatjana).mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\italian porn lingerie licking hole mature .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\handjob trambling big (Karin).avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\danish animal blowjob uncut lady .rar.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\russian cumshot xxx licking hole .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\chinese trambling sleeping glans .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\fucking full movie stockings .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\italian handjob hardcore lesbian wifey .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\norwegian sperm [milf] (Tatjana).avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\PLA\Templates\horse lesbian granny .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\russian nude trambling public .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\trambling [bangbus] cock (Gina,Tatjana).mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\gay [free] swallow .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\american kicking fucking [milf] beautyfull .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\african sperm public (Melissa).avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\chinese sperm hidden titts .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\xxx [milf] (Liz).mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\danish nude gay voyeur stockings (Sandy,Melissa).mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\british trambling uncut boots .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\brasilian fetish xxx voyeur feet Ôï .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\tyrkish handjob gay [milf] .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\brasilian handjob xxx several models hole .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\fetish fucking [milf] .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\malaysia hardcore licking pregnant .mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\fetish lesbian hot (!) hole (Anniston,Sarah).zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\SoftwareDistribution\Download\lesbian girls glans redhair (Janette).rar.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\handjob trambling uncut feet redhair .rar.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\italian nude bukkake public shower .mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..mon-sharedresources_31bf3856ad364e35_10.0.19041.1_none_5417ea1f38dbb76b\horse beast girls (Tatjana).rar.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\brasilian beastiality gay public cock pregnant (Samantha).mpg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\american gang bang horse [milf] feet femdom .zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\lingerie [bangbus] sm .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\chinese gay [milf] .avi.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\spanish blowjob sleeping glans mature (Sylvia).rar.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\sperm lesbian (Jade).mpeg.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\american gang bang fucking several models (Melissa).zip.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\kicking horse licking balls .rar.exe	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
4876	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
4876	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
4876	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
4876	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
4876	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
4876	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
4876	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
4876	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
4876	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
4876	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
4876	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
4876	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
4876	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
4876	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
2284	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1656	1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe	84
PID 1780 wrote to memory of 1656	1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe	84
PID 1780 wrote to memory of 1656	1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe	84
PID 1780 wrote to memory of 2284	1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe	85
PID 1780 wrote to memory of 2284	1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe	85
PID 1780 wrote to memory of 2284	1780	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe	85
PID 1656 wrote to memory of 4876	1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe	86
PID 1656 wrote to memory of 4876	1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe	86
PID 1656 wrote to memory of 4876	1656	4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe	86

C:\Users\Admin\AppData\Local\Temp\4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
"C:\Users\Admin\AppData\Local\Temp\4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Users\Admin\AppData\Local\Temp\4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
  "C:\Users\Admin\AppData\Local\Temp\4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
    "C:\Users\Admin\AppData\Local\Temp\4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4876
- C:\Users\Admin\AppData\Local\Temp\4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe
  "C:\Users\Admin\AppData\Local\Temp\4b37ec8267b2fb23495c5d66f905435744dc92dd854b880f12617ce056ce1e65.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\brasilian kicking trambling catfight glans penetration (Karin).rar.exe

Filesize
697KB

MD5
e62b715ace35a8df33a16111c5dab152

SHA1
5af5da057066aaca84d2eb64796453933393fea3

SHA256
8745847cbf7c17929dda4440aee7ab9f7468d0fc4efd743b87fc4e5c68fc077f

SHA512
1f00800944c4ac5d3ddd7ac4e04efd442d8e41832804e0013cfb3b96ee4623760d1bc8225c9be8fdadaf48071f5247597dc7c3b5dc279c33f57de876eba905dd

Download Submit