c0cb084aebfa800cbec736c2c15b40f89a43e3f2c43f571681f573b7a7155b43

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88a342b73953627dc29c1c8a64f72312.exe
Size

847KB
MD5

88a342b73953627dc29c1c8a64f72312
SHA1

61c3b6e3b3ea25eea72d684d1c2963ca52de5d3f
SHA256

c0cb084aebfa800cbec736c2c15b40f89a43e3f2c43f571681f573b7a7155b43
SHA512

5d1db29b018a00b0d4038ea8aec907ebfda446e28dae0f59e5135171254060f164dd9c6cafba879cb8aeb26a66a350cecdd0aed130f637ca792ad4a0f4a284e4
SSDEEP

24576:YokJv6wM7Ob9pa1BvTSffGt6sWjKoZdPG2:XkIzW9w4+/W+oi2

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	88a342b73953627dc29c1c8a64f72312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	88a342b73953627dc29c1c8a64f72312.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4560-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/files/0x000700000002320d-5.dat	upx
behavioral2/memory/1464-105-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1528-170-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4684-171-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4560-195-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1464-201-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1528-202-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4684-204-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	88a342b73953627dc29c1c8a64f72312.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\T:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\U:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\W:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\Y:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\A:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\H:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\L:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\V:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\B:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\J:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\O:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\P:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\R:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\S:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\X:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\Z:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\G:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\N:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\K:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\Q:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\E:	88a342b73953627dc29c1c8a64f72312.exe
File opened (read-only)	\??\I:	88a342b73953627dc29c1c8a64f72312.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\fucking girls titts .avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\SysWOW64\FxsTmp\american fetish lesbian public feet .avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\SysWOW64\FxsTmp\french hardcore [free] titts ejaculation .rar.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\System32\DriverStore\Temp\brasilian porn blowjob girls titts (Christine,Melissa).mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\SysWOW64\IME\SHARED\tyrkish beastiality horse hidden femdom .mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\bukkake licking .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\danish cum lingerie hot (!) fishy .rar.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\indian horse lingerie big .mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\SysWOW64\IME\SHARED\gay masturbation .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\brasilian gang bang fucking big cock circumcision .zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\SysWOW64\config\systemprofile\swedish cumshot bukkake full movie feet castration (Sylvia).mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\beast masturbation cock .avi.exe	88a342b73953627dc29c1c8a64f72312.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\indian fetish beast lesbian sm .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\italian beastiality horse public latex .avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\black porn gay [milf] .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files (x86)\Google\Update\Download\indian gang bang gay public (Samantha).avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\italian beastiality hardcore [milf] high heels (Gina,Tatjana).zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\american cum gay hidden traffic .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\tyrkish beastiality lesbian [free] cock ash (Liz).mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\blowjob [milf] femdom .mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files (x86)\Microsoft\Temp\italian nude lesbian licking titts wifey .mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\brasilian beastiality beast hidden swallow .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files (x86)\Google\Temp\xxx masturbation leather .zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\fucking lesbian mistress .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\american porn gay masturbation cock .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\lesbian [free] upskirt (Britney,Samantha).avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files\Common Files\microsoft shared\sperm [bangbus] upskirt .mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files\Microsoft Office\root\Templates\trambling licking titts .mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\danish action bukkake full movie swallow (Gina,Karin).rar.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\italian action sperm [bangbus] (Sylvia).mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\hardcore masturbation .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\canadian blowjob [bangbus] glans .zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\animal bukkake [milf] (Liz).zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\spanish horse licking sm .zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\handjob beast big feet girly .rar.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\fucking big cock .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\assembly\tmp\italian cumshot trambling sleeping titts femdom .zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_b201c2e68d8dbc0d\spanish horse hidden beautyfull .zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\handjob beast licking .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\trambling hot (!) redhair (Sonja,Karin).mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.746_none_292c449ed2edefa3\handjob xxx several models .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\lesbian [bangbus] .avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\danish cumshot trambling voyeur cock upskirt (Sarah).avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\american cum bukkake full movie leather (Sonja,Melissa).mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\InstallTemp\asian xxx hot (!) stockings .avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\french trambling voyeur cock circumcision (Janette).mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\japanese nude lesbian [milf] feet gorgeoushorny (Curtney).mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\norwegian horse lesbian 50+ (Sonja,Janette).mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\fucking hot (!) hole (Sandy,Liz).mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\horse bukkake lesbian titts (Gina,Janette).avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\xxx sleeping .avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\italian handjob horse several models femdom .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\bukkake voyeur ash .zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\french lingerie big (Karin).avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\animal lingerie uncut .avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\asian lesbian full movie femdom .rar.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\chinese beast big latex .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\african trambling sleeping shoes .zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\action bukkake licking cock Ôï .zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\japanese gang bang trambling hot (!) hole .avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\cumshot bukkake masturbation upskirt (Ashley,Curtney).mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\swedish beastiality xxx girls circumcision (Christine,Tatjana).mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\beastiality lesbian voyeur YEâPSè& .zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\horse uncut .rar.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.746_none_822bf1ada1526fa8\nude beast masturbation lady .avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\xxx masturbation titts fishy (Samantha).zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\british beast licking cock balls (Liz).mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\SoftwareDistribution\Download\sperm several models cock YEâPSè& .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\tyrkish handjob lesbian masturbation 40+ .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\handjob hardcore lesbian feet .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\swedish gang bang bukkake hidden mature (Christine,Jade).mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\beast [bangbus] .avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\italian gang bang lesbian [bangbus] beautyfull .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\black gang bang hardcore full movie glans (Britney,Karin).avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\french hardcore hidden cock wifey (Tatjana).mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\brasilian beastiality horse uncut glans (Kathrin,Liz).rar.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\american animal gay uncut (Melissa).rar.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\american porn horse uncut (Samantha).rar.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\african fucking voyeur circumcision .rar.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\fetish hardcore [free] circumcision (Kathrin,Janette).zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\lesbian girls cock high heels .mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\xxx public wifey .mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\lingerie catfight cock 50+ .rar.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\american nude lingerie [free] glans .avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\american gang bang xxx big cock hotel .zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\danish animal fucking hot (!) (Samantha).rar.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\japanese handjob hardcore uncut black hairunshaved (Jenna,Samantha).rar.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\nude sperm voyeur (Sylvia).mpeg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\kicking fucking catfight hole 40+ (Curtney).avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\horse lesbian hot (!) 50+ .avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\german bukkake [milf] titts sweet .avi.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\porn lesbian sleeping cock 50+ (Melissa).mpg.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\beastiality fucking big glans stockings .zip.exe	88a342b73953627dc29c1c8a64f72312.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\horse trambling voyeur hole leather (Liz).avi.exe	88a342b73953627dc29c1c8a64f72312.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4560	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
4684	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
4684	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
4684	88a342b73953627dc29c1c8a64f72312.exe
4684	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
4684	88a342b73953627dc29c1c8a64f72312.exe
4684	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
4684	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
4684	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
4684	88a342b73953627dc29c1c8a64f72312.exe
4684	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
4684	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
4684	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
4684	88a342b73953627dc29c1c8a64f72312.exe
4560	88a342b73953627dc29c1c8a64f72312.exe
4684	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1464	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe
1528	88a342b73953627dc29c1c8a64f72312.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 1464	4560	88a342b73953627dc29c1c8a64f72312.exe	89
PID 4560 wrote to memory of 1464	4560	88a342b73953627dc29c1c8a64f72312.exe	89
PID 4560 wrote to memory of 1464	4560	88a342b73953627dc29c1c8a64f72312.exe	89
PID 4560 wrote to memory of 1528	4560	88a342b73953627dc29c1c8a64f72312.exe	90
PID 4560 wrote to memory of 1528	4560	88a342b73953627dc29c1c8a64f72312.exe	90
PID 4560 wrote to memory of 1528	4560	88a342b73953627dc29c1c8a64f72312.exe	90
PID 1464 wrote to memory of 4684	1464	88a342b73953627dc29c1c8a64f72312.exe	91
PID 1464 wrote to memory of 4684	1464	88a342b73953627dc29c1c8a64f72312.exe	91
PID 1464 wrote to memory of 4684	1464	88a342b73953627dc29c1c8a64f72312.exe	91

C:\Users\Admin\AppData\Local\Temp\88a342b73953627dc29c1c8a64f72312.exe
"C:\Users\Admin\AppData\Local\Temp\88a342b73953627dc29c1c8a64f72312.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\Temp\88a342b73953627dc29c1c8a64f72312.exe
  "C:\Users\Admin\AppData\Local\Temp\88a342b73953627dc29c1c8a64f72312.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\88a342b73953627dc29c1c8a64f72312.exe
    "C:\Users\Admin\AppData\Local\Temp\88a342b73953627dc29c1c8a64f72312.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4684
- C:\Users\Admin\AppData\Local\Temp\88a342b73953627dc29c1c8a64f72312.exe
  "C:\Users\Admin\AppData\Local\Temp\88a342b73953627dc29c1c8a64f72312.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\danish action bukkake full movie swallow (Gina,Karin).rar.exe

Filesize
1.6MB

MD5
6c1c1990b4403880fbd3da35c1856997

SHA1
8de743c00c51b05cfccdee6fa3e7ac9da914c5ba

SHA256
c361b0656c870d711c805aec8ee05c83e81583cc5170ac581da1c751898737b8

SHA512
88a512e228be0bb8291c4a90830e6a3f691e65000b55881bcdc76184b54135653b47011e11646dddc8219c6adaf3ba82368baf821f6f13373cb622b66658af49

Download Submit
memory/1464-105-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1464-201-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1528-170-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1528-202-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4560-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4560-195-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4684-171-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4684-204-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download