ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966

Analysis

max time kernel
159s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
Size

2.0MB
MD5

352f1cf7fce68112687c09346bf100d5
SHA1

6c113f3977f132bf7e932fb706db2ff2859de5e1
SHA256

ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966
SHA512

de2b1cf91d6f5d6b58ff47bb2b2f518228c6999bee021fa60f8676e29d4e0a1b8d73aa865aea9759730acf003edeff0aaf9281945bc530636d3eb52356779e0f
SSDEEP

49152:BO0umU+9cxGHBJ+hvueIDpMXkLMU0XqcWTeLEY:VumUGcx0WvqDB4U0Xqc8wEY

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral2/files/0x000800000002322a-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\V:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\X:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\A:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\N:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\T:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\Y:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\Z:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\M:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\E:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\H:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\J:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\L:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\R:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\B:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\I:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\K:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\P:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\Q:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\S:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\U:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\W:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File opened (read-only)	\??\G:	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\bukkake action masturbation 50+ .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\gang bang uncut YEâPSè& .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black cumshot several models .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\SysWOW64\IME\SHARED\african beastiality several models traffic (Liz,Liz).avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\asian porn big (Melissa,Tatjana).avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\indian sperm handjob [milf] latex .mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\SysWOW64\FxsTmp\japanese gang bang [bangbus] .mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\System32\DriverStore\Temp\asian bukkake masturbation feet .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\SysWOW64\FxsTmp\norwegian cumshot big 40+ .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\blowjob nude several models castration .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\SysWOW64\config\systemprofile\norwegian fucking fetish masturbation .mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\SysWOW64\IME\SHARED\sperm fucking sleeping .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\chinese bukkake masturbation cock YEâPSè& .mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\indian lingerie hot (!) \Û .avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\norwegian lingerie handjob big ejaculation .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\russian blowjob horse hot (!) .mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files\Common Files\microsoft shared\american trambling uncut cock shower .mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\fetish kicking uncut wifey .avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\danish gang bang girls redhair .mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\chinese xxx [free] .mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files (x86)\Microsoft\Temp\tyrkish trambling hidden hole lady .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files\Microsoft Office\root\Templates\porn voyeur .mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\lingerie blowjob hidden pregnant .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\brasilian kicking sleeping cock (Kathrin,Britney).mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\fetish beastiality uncut .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files (x86)\Google\Temp\swedish action fucking sleeping legs .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\beast uncut legs traffic (Sarah).zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\cum big pregnant .mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\german xxx cum full movie upskirt .mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Program Files (x86)\Google\Update\Download\porn lesbian hairy .mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\danish horse sleeping penetration .mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\american bukkake hidden legs redhair .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\nude xxx full movie wifey .avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\porn hardcore [milf] (Sonja).rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\brasilian horse trambling [milf] boobs .mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\cum handjob masturbation YEâPSè& (Janette).mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\xxx cumshot sleeping cock castration .mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\cumshot hidden gorgeoushorny (Sylvia,Melissa).mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\spanish fucking hardcore catfight nipples .mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\blowjob uncut beautyfull .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.746_none_822bf1ada1526fa8\brasilian action nude licking Ôï .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\norwegian fetish girls .avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\cumshot horse several models cock granny .mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\asian trambling beast masturbation .mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\british porn sleeping .avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\malaysia animal action masturbation mistress (Sarah,Jenna).zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\french lingerie girls legs lady .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\bukkake full movie titts high heels .mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\russian fetish uncut leather .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\japanese bukkake uncut (Christine).mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\chinese action big feet .avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\brasilian action gang bang [bangbus] Ôï (Ashley).avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca03036af4a5017e\british beastiality hidden nipples latex .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\cumshot licking leather .mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\american gang bang kicking catfight cock hotel .avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\swedish animal porn uncut .mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\african blowjob handjob girls ejaculation .avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\norwegian hardcore masturbation black hairunshaved (Ashley,Liz).zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\asian cum gay lesbian vagina .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\indian trambling several models .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\italian blowjob hot (!) hole .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\japanese horse beast several models stockings .mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\canadian nude xxx girls stockings (Sandy,Kathrin).rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\british lingerie full movie .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\spanish fucking trambling [free] stockings .mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\fucking gay sleeping redhair .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\brasilian hardcore action uncut hole penetration .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\german blowjob uncut circumcision .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\indian horse horse hot (!) feet lady .mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\lesbian trambling catfight (Gina).avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\asian action fucking several models .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\brasilian kicking horse lesbian gorgeoushorny (Kathrin,Jenna).mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\beastiality girls .avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\hardcore licking hairy .avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\indian kicking horse licking .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\tyrkish fucking girls lady (Melissa).avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\black beast [milf] .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\asian porn [free] hairy .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\american trambling hidden .zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\japanese hardcore porn licking hotel (Sarah,Tatjana).avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\blowjob fucking [bangbus] hotel .avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\assembly\tmp\french beast hot (!) nipples .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\chinese nude full movie bedroom .mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\chinese lesbian lingerie licking .mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\american lesbian beast [free] cock stockings .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\german xxx horse full movie vagina .mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\black nude girls ash sweet .avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\chinese animal several models legs hairy (Sonja).rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\fetish handjob big gorgeoushorny .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\japanese nude horse licking .mpg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\chinese fetish sperm licking (Sylvia).zip.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\tyrkish fetish gang bang hidden lady (Anniston,Curtney).mpeg.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\blowjob porn big high heels .rar.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\indian gay action girls vagina shower (Tatjana,Karin).avi.exe	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4928	1720	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
2992	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
2992	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
2992	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
2992	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
2992	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
2992	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
2992	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
2992	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
2992	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
2992	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
2992	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
2992	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
2992	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
2992	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
4708	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 5080	1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe	91
PID 1720 wrote to memory of 5080	1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe	91
PID 1720 wrote to memory of 5080	1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe	91
PID 1720 wrote to memory of 4708	1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe	93
PID 1720 wrote to memory of 4708	1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe	93
PID 1720 wrote to memory of 4708	1720	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe	93
PID 5080 wrote to memory of 2992	5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe	94
PID 5080 wrote to memory of 2992	5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe	94
PID 5080 wrote to memory of 2992	5080	ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe	94

C:\Users\Admin\AppData\Local\Temp\ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
"C:\Users\Admin\AppData\Local\Temp\ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
  "C:\Users\Admin\AppData\Local\Temp\ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
    "C:\Users\Admin\AppData\Local\Temp\ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2992
- C:\Users\Admin\AppData\Local\Temp\ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe
  "C:\Users\Admin\AppData\Local\Temp\ff91001ef2853c17052d86b1d0f9469086e7bf7ef28f4bb4a39042ab42d8c966.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 1200
  2⤵
  - Program crash
  PID:4928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1720 -ip 1720
1⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\beast uncut legs traffic (Sarah).zip.exe

Filesize
355KB

MD5
f6382305f2c94bce220366191ec4f8c5

SHA1
09f9c4dbd59dd02747bbd24c2c4b2bea4b1a9120

SHA256
607196f722d461884d18273a53667da0268997609b28fee132b6a82e6431d5bf

SHA512
a25bc5f252069717aad26b676468cd8cec7b97238a2aa6fd046506984b2185748149da84fafdeee69df65029596dc615aee5a5829e855a1415f0b1dd16d10972

Download Submit