c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8

Analysis

max time kernel
162s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
Size

1.6MB
MD5

e23f8bb38485ae01345747d7ef4cfa06
SHA1

84e276ef8b3a302a43a10584f001816e1ab861a4
SHA256

c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8
SHA512

bd8c40cee70ac1aef7ffd996f3dd164e92bf10228dcdcb3b5a9fc429390d3824b70b257007725c6201807a24db3fc48f9439f914efb0869c1a00c2f3c162331a
SSDEEP

24576:86Gj/chy9u8zPHGeSGjadTQdDqqskYwTb7a7qM+irMQKmPu0OhDNLd/:5mQaXzPHGeVgTqDvYwTb6qjQXPAD7

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002321a-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\G:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\L:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\W:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\E:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\J:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\O:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\Q:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\T:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\B:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\H:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\I:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\K:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\N:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\R:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\S:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\U:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\V:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\X:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\Y:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\Z:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\M:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File opened (read-only)	\??\P:	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\horse public nipples .rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\british bukkake action uncut .avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\german horse nude several models .avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\SysWOW64\config\systemprofile\hardcore horse full movie .rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\SysWOW64\IME\SHARED\japanese fucking public .mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\spanish kicking [bangbus] .mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\SysWOW64\config\systemprofile\norwegian nude horse hidden vagina balls (Sylvia,Tatjana).rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\SysWOW64\IME\SHARED\brasilian xxx [milf] .avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\black kicking several models 50+ .rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\SysWOW64\FxsTmp\chinese nude handjob sleeping glans swallow .avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\asian blowjob public shoes .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\System32\DriverStore\Temp\beastiality big (Britney,Anniston).zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\norwegian action uncut feet fishy .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\fetish hidden (Sonja,Samantha).mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\fucking [bangbus] ash blondie (Sonja).avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\canadian gang bang horse several models beautyfull .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\bukkake hardcore hidden circumcision .mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\german horse fucking [milf] blondie .rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files (x86)\Google\Update\Download\nude hot (!) penetration .mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\handjob lesbian penetration .mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files\Common Files\microsoft shared\action sleeping gorgeoushorny .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files\dotnet\shared\beastiality trambling lesbian stockings .mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files\Microsoft Office\root\Templates\swedish fetish full movie mature .rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\xxx girls .avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\blowjob [bangbus] sm .rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\swedish porn [free] boots (Sylvia).mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\animal catfight latex .avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\nude [free] feet ejaculation .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files (x86)\Google\Temp\russian fucking voyeur .mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Program Files (x86)\Microsoft\Temp\african beast voyeur feet (Anniston).mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\mssrv.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\fucking cumshot public stockings (Sonja).zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\british beast trambling uncut nipples .rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\german fucking [milf] (Sarah,Ashley).zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\CbsTemp\horse girls glans shoes (Kathrin).mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\lesbian gay voyeur feet swallow .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\fucking several models glans girly .rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\horse hidden boots (Liz).avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\tyrkish horse sleeping hotel (Tatjana,Jade).mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\porn trambling voyeur cock .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\horse several models bondage .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\spanish beast full movie ash ejaculation (Kathrin,Christine).zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\assembly\tmp\canadian handjob trambling [bangbus] .avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\animal fucking catfight .rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\asian nude xxx lesbian legs blondie .mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\american gay lesbian lady .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\italian bukkake [milf] mature (Karin,Sandy).zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\japanese lingerie sperm [free] pregnant .mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\danish fucking catfight castration .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\lesbian gay masturbation hotel .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\bukkake voyeur cock .mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\black xxx hot (!) (Gina).mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\xxx big .rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\british hardcore action hot (!) wifey .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\animal big .avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\lesbian porn masturbation .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\spanish beast hidden .rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\cum action lesbian stockings .mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\indian blowjob sleeping ash .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\PLA\Templates\brasilian fucking public Ôï .rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\british kicking masturbation glans .mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\russian fucking [milf] boobs balls .rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\italian gay animal catfight castration .mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\african horse [bangbus] .mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\british horse gay catfight (Ashley,Ashley).zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\tyrkish cum voyeur swallow .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\german fetish lesbian titts gorgeoushorny (Ashley).rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\canadian blowjob catfight sweet (Gina,Jenna).mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\canadian gang bang full movie (Curtney).mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\gang bang trambling [bangbus] blondie (Sonja,Curtney).mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\sperm hardcore lesbian (Jenna,Tatjana).mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\french beast bukkake [bangbus] granny .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\danish xxx voyeur nipples ash .rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\italian bukkake [milf] feet .avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\InputMethod\SHARED\danish beastiality several models upskirt .mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\nude beast girls (Sonja,Janette).mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\german bukkake hidden circumcision .avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\malaysia horse [bangbus] .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\asian fucking hot (!) 50+ .mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\security\templates\canadian porn [free] shower .mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\italian kicking fetish uncut (Sandy,Liz).mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\norwegian lesbian voyeur (Sylvia,Curtney).mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\animal [free] .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\american sperm [free] titts ejaculation (Jenna).mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\chinese fetish full movie titts gorgeoushorny .avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\gang bang handjob masturbation feet shower .mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\lesbian nude full movie ash .mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\blowjob [bangbus] upskirt .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\Downloaded Program Files\sperm full movie traffic (Sonja).rar.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\spanish gang bang lesbian feet .mpeg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\canadian nude uncut hole young .avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\horse sleeping feet balls .zip.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\russian hardcore masturbation nipples .avi.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
File created	C:\Windows\SoftwareDistribution\Download\fucking lesbian masturbation .mpg.exe	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3180	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3180	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3180	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3180	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3180	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3180	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3180	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3180	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3180	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3180	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3180	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3180	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3180	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3180	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
2920	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 3680	4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe	84
PID 4268 wrote to memory of 3680	4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe	84
PID 4268 wrote to memory of 3680	4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe	84
PID 4268 wrote to memory of 2920	4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe	85
PID 4268 wrote to memory of 2920	4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe	85
PID 4268 wrote to memory of 2920	4268	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe	85
PID 3680 wrote to memory of 3180	3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe	86
PID 3680 wrote to memory of 3180	3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe	86
PID 3680 wrote to memory of 3180	3680	c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe	86

C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
"C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
  "C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
    "C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3180
- C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe
  "C:\Users\Admin\AppData\Local\Temp\c1861e61f16e7d2e8d3c1882a8e3ca5059ae294eab39c0784ac6d4b262dfe1e8.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\norwegian action uncut feet fishy .zip.exe

Filesize
1.7MB

MD5
10e8b1eca3400064732eb0bcdcb1cbba

SHA1
2740f2abe2c9d154459d0469d274c02792186eb6

SHA256
a107a0d776e7010485b3e69c403ea18073efafadf95f2d0b5d2810f0e1c53005

SHA512
be02182b90e4230d01be58139c8305dfef0dcbb960693a2cf1c8f08480efb68df089ade29cc61ac475d6b2d5f9fb10118c06c36911fadc36df57950a5b941b52

Download Submit