Analysis
-
max time kernel
168s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:20
Behavioral task
behavioral1
Sample
223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe
Resource
win10v2004-20240226-en
General
-
Target
223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe
-
Size
2.0MB
-
MD5
4e5872eca08a9d04742b50d9f860b3e5
-
SHA1
0d223ce9bd58ab906e8083e4facd496cb0601eeb
-
SHA256
223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd
-
SHA512
6306c8ed138e017af0558b766a6bc9f33af75d67c001f8eb1bc1c19a52efa3aa60a5d7a2fa11bd1e3b8de432192f0cc5ba32a76d7492ca2dd3f2881c5810bef9
-
SSDEEP
49152:j6GIJg7d1hmD9gWwEe5Afsak2DW4ZEkczOtsDkFYta:j6LJUdnhJ5jai4bcyt/+k
Malware Config
Signatures
-
Detects executables containing possible sandbox analysis VM usernames 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3804-35-0x0000000000400000-0x0000000000429000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames -
UPX dump on OEP (original entry point) 5 IoCs
Processes:
resource yara_rule behavioral2/memory/2964-0-0x0000000000400000-0x0000000000429000-memory.dmp UPX C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\malaysia beast animal masturbation redhair .mpg.exe UPX behavioral2/memory/1088-12-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3328-33-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral2/memory/3804-35-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/2964-0-0x0000000000400000-0x0000000000429000-memory.dmp upx C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\malaysia beast animal masturbation redhair .mpg.exe upx behavioral2/memory/1088-12-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3328-33-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral2/memory/3804-35-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exedescription ioc process File opened (read-only) \??\J: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\L: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\O: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\Q: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\R: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\I: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\M: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\S: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\U: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\Y: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\Z: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\G: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\E: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\H: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\K: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\T: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\W: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\X: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\B: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\N: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\P: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\V: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File opened (read-only) \??\A: 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe -
Drops file in System32 directory 12 IoCs
Processes:
223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exedescription ioc process File created C:\Windows\SysWOW64\IME\SHARED\lesbian animal [bangbus] cock hairy .mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\fetish kicking [free] (Jade).rar.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\fucking blowjob voyeur nipples sweet .mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\SysWOW64\config\systemprofile\fetish blowjob licking .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\SysWOW64\IME\SHARED\african fucking girls 50+ .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\nude action sleeping hairy .mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american horse uncut (Sandy,Ashley).avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\SysWOW64\FxsTmp\horse full movie young (Christine).mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\System32\DriverStore\Temp\porn action hot (!) circumcision .mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\SysWOW64\FxsTmp\lesbian trambling lesbian .mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\System32\LogFiles\Fax\Incoming\asian blowjob horse catfight penetration .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\SysWOW64\config\systemprofile\chinese animal bukkake [free] .zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe -
Drops file in Program Files directory 18 IoCs
Processes:
223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exedescription ioc process File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\danish lesbian [milf] legs .mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files (x86)\Microsoft\Temp\spanish xxx porn catfight traffic (Christine).zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files\Common Files\microsoft shared\cumshot [free] upskirt (Britney,Curtney).rar.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\malaysia beast animal masturbation redhair .mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\norwegian gang bang sleeping boobs granny (Sonja).mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\malaysia xxx lesbian nipples ejaculation (Jenna,Sarah).avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\beast full movie (Karin,Kathrin).mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\asian beast fetish big circumcision .zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files\Microsoft Office\Updates\Download\danish lesbian lesbian uncut circumcision .mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\horse gay lesbian penetration .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files (x86)\Google\Update\Download\japanese sperm beastiality public feet .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\brasilian bukkake masturbation circumcision (Jenna).zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files\dotnet\shared\gay cumshot girls glans circumcision (Ashley).mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files\Microsoft Office\root\Templates\american nude masturbation (Christine).zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\porn beastiality masturbation granny .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\french cum animal [bangbus] .rar.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\french horse blowjob [free] ash hotel (Gina,Britney).avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Program Files (x86)\Google\Temp\lesbian licking .mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe -
Drops file in Windows directory 64 IoCs
Processes:
223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exedescription ioc process File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\american kicking sleeping .rar.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\tyrkish horse sperm [milf] fishy .zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\tyrkish hardcore voyeur (Janette).mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\SoftwareDistribution\Download\porn girls castration .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\horse animal [bangbus] nipples leather (Sonja).mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\gay kicking [free] cock 40+ (Sylvia,Gina).zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\lingerie porn girls ash boots .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\InputMethod\SHARED\british cumshot kicking girls circumcision (Christine).mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\indian beastiality masturbation .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\american action fetish [free] feet .mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\brasilian hardcore horse licking .mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\sperm licking shower .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\gay hot (!) cock leather .mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\italian sperm catfight legs ash (Kathrin).rar.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\russian nude several models YEâPSè& .zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\lesbian sperm [bangbus] boobs .zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\animal horse uncut .mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\indian beastiality several models .rar.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\beastiality [bangbus] circumcision .mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\black blowjob public nipples .zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\cumshot [free] high heels (Sonja).avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\bukkake full movie circumcision .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\danish gang bang xxx public .mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\hardcore kicking masturbation boots .mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\african trambling trambling big shower .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\porn [bangbus] redhair .mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\tyrkish gay voyeur .rar.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\brasilian beastiality uncut ash .rar.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\danish horse lesbian pregnant (Tatjana,Ashley).zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\beast cumshot masturbation (Gina,Britney).rar.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.746_none_822bf1ada1526fa8\black hardcore girls high heels .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\danish handjob girls black hairunshaved .zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\malaysia animal girls young .rar.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\swedish porn public .zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\animal horse [bangbus] lady (Ashley,Britney).mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\brasilian hardcore gay sleeping sm (Ashley,Kathrin).mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\action horse licking .zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\danish lingerie lesbian nipples 50+ (Karin).avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\handjob animal sleeping balls .rar.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\black fucking catfight circumcision (Tatjana).mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\tyrkish blowjob catfight mistress .mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\canadian horse blowjob hidden boobs .mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca03036af4a5017e\american nude bukkake masturbation blondie (Anniston).rar.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\british beast [bangbus] YEâPSè& (Sarah,Melissa).mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\beastiality big hairy .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\spanish cumshot horse hidden nipples hotel .zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\british hardcore gang bang uncut feet shoes .rar.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\xxx kicking licking .mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-s..mon-sharedresources_31bf3856ad364e35_10.0.19041.1_none_5417ea1f38dbb76b\action kicking full movie ash hotel (Gina,Curtney).mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\spanish xxx big castration .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\russian sperm bukkake public sm (Gina,Melissa).mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\trambling [milf] (Sonja).zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\canadian fucking trambling lesbian (Ashley).mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\british lingerie sleeping cock boots (Curtney,Ashley).avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_b201c2e68d8dbc0d\beast public ash .zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\fetish lesbian licking legs fishy .mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\canadian hardcore [milf] .rar.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\black porn licking ash .mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\asian cum masturbation blondie .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\lingerie girls glans (Melissa).mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\italian lesbian licking .avi.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\black fucking licking .zip.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\porn beast [bangbus] .mpeg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe File created C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\british kicking hot (!) (Tatjana,Tatjana).mpg.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exepid process 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3804 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3804 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3804 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3804 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3804 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3804 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3804 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3804 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3804 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3804 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3804 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3804 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3804 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3804 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 3328 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exedescription pid process target process PID 2964 wrote to memory of 1088 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe PID 2964 wrote to memory of 1088 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe PID 2964 wrote to memory of 1088 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe PID 2964 wrote to memory of 3328 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe PID 2964 wrote to memory of 3328 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe PID 2964 wrote to memory of 3328 2964 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe PID 1088 wrote to memory of 3804 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe PID 1088 wrote to memory of 3804 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe PID 1088 wrote to memory of 3804 1088 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe 223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe"C:\Users\Admin\AppData\Local\Temp\223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe"C:\Users\Admin\AppData\Local\Temp\223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe"C:\Users\Admin\AppData\Local\Temp\223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3804
-
-
-
C:\Users\Admin\AppData\Local\Temp\223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe"C:\Users\Admin\AppData\Local\Temp\223114c4b6125f7f36b292d1048b3827941b6e970aa32466999cd6078ad45bbd.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3328
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\malaysia beast animal masturbation redhair .mpg.exe
Filesize1.0MB
MD58239647316019ec99ad75e72025105e4
SHA1afe81005e0b64aaead84f7d5dc4032e05d95db24
SHA256572e50a68aaa63d5433f4a8675590487722a8926eb21c185de6d21f1d1f9cacb
SHA512c5dc8879105d6348c302df75d8276f55e45dacba2a6b151d3b9793fbbd6ed30675f17ef342add3cf96e33f7d0b0056fd38c01b42775a90c8fb54a2071b8b4e67