8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae

Analysis

max time kernel
150s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
Size

1.0MB
MD5

4ba5cf728ff86d0f0cbcecee7d8908f8
SHA1

95a8a614e91250827994e14996122223fb90a150
SHA256

8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae
SHA512

b88b58978c6732481d1d7a35091c0706530a00e98cb5ec13d58288e569919c5077b1bc182d1a786c44f138f2d19f1b7901c8a3b3391c3c2fe92d9f2b4af9368e
SSDEEP

24576:sWK75hcNvQk3uPSJijaX69PKQ+270OQaq/tQemel:BMh43uaFXlQ+A0qq1F

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023416-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\Z:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\E:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\H:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\I:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\K:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\O:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\V:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\A:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\J:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\N:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\S:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\W:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\B:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\M:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\P:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\Q:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\T:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\G:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\L:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\R:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\U:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File opened (read-only)	\??\X:	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\african beast handjob public ejaculation .avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\SysWOW64\IME\SHARED\british gay licking nipples .rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\french sperm sperm girls (Christine,Samantha).zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\brasilian cumshot [milf] black hairunshaved .rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\SysWOW64\config\systemprofile\handjob cumshot girls shower .avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\SysWOW64\FxsTmp\chinese horse porn public glans (Sylvia,Tatjana).mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\SysWOW64\IME\SHARED\beast trambling girls .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\beast porn full movie pregnant .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\System32\DriverStore\Temp\british horse xxx [bangbus] .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\SysWOW64\FxsTmp\japanese cumshot handjob licking .mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\norwegian sperm handjob sleeping black hairunshaved .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\german gang bang girls (Curtney).avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Download\gay horse [milf] bondage .mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\gang bang licking cock .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\porn nude sleeping feet swallow .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\gay handjob public .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\lingerie catfight leather .avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files (x86)\Microsoft\Temp\nude sleeping (Tatjana).rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files\dotnet\shared\action catfight fishy (Sandy,Jenna).mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\malaysia cum public boots .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\swedish fetish hidden (Christine).rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\swedish fucking sleeping lady .avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files\Common Files\microsoft shared\norwegian kicking sperm hot (!) .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian kicking hot (!) beautyfull .rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\american lingerie masturbation nipples .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\xxx xxx lesbian .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\indian trambling uncut .mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files (x86)\Google\Temp\indian cumshot big bedroom (Tatjana).mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\german bukkake lesbian hole .avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Program Files\Microsoft Office\root\Templates\sperm [milf] ash hotel .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\temp\black gay action hot (!) titts (Ashley,Christine).mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\porn masturbation penetration .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\black trambling big nipples mature (Janette,Jenna).mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\spanish gay fetish [bangbus] latex .rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\russian fucking action [free] (Anniston,Christine).zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\russian animal sperm lesbian nipples .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\black bukkake nude [milf] hotel .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\tyrkish cum beastiality catfight legs gorgeoushorny .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\canadian porn several models latex (Liz).avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\lingerie [bangbus] .rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\canadian lesbian [milf] .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\brasilian action full movie penetration (Sonja).avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\black hardcore uncut swallow .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.746_none_822bf1ada1526fa8\indian action lesbian hidden high heels .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\horse xxx masturbation bondage .mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\danish fucking full movie (Samantha,Karin).mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\british gang bang gay big .rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\kicking big granny .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\cumshot catfight boobs (Sonja).avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\brasilian horse sperm girls feet mature .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\canadian sperm nude hot (!) nipples sm (Tatjana).rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\fucking girls 40+ (Sylvia,Sonja).mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_en-us_8dd6053a0a5910eb\kicking [bangbus] .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\beastiality fucking voyeur shower .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\swedish beastiality [bangbus] cock .avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\beast handjob public fishy (Gina,Christine).mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\spanish gang bang hidden .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\african trambling sperm several models .mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\black lesbian lesbian traffic .avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\malaysia handjob hardcore uncut .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_21122d7205c6f5b9\black lesbian public granny .mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\tyrkish lingerie full movie .mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\gang bang porn big castration .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\animal big latex .avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\horse uncut gorgeoushorny .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\black cum lesbian public (Sonja).rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\italian xxx bukkake voyeur (Sarah).mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\nude cumshot hot (!) .avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\danish beastiality cum [milf] balls (Melissa).avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\action trambling masturbation penetration .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\lingerie masturbation beautyfull .mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\porn lesbian [free] feet mature .avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\brasilian hardcore sperm girls titts beautyfull .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\spanish cum sperm several models legs balls .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.746_none_292c449ed2edefa3\fetish public shoes (Tatjana,Sandy).mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\CbsTemp\handjob fucking [bangbus] feet .avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\animal action girls high heels .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\handjob fetish voyeur fishy (Curtney,Janette).rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\american handjob sperm girls (Tatjana).mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\russian fetish beastiality voyeur wifey .rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\assembly\tmp\american lingerie animal [milf] vagina pregnant .mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\hardcore masturbation .avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\african cum beast lesbian boobs mistress (Tatjana).avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\trambling big vagina beautyfull .avi.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\bukkake [free] .mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\japanese horse several models glans girly (Christine).rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\japanese trambling full movie .rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\gay public .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\InstallTemp\cumshot sperm voyeur nipples .zip.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\norwegian cum hidden gorgeoushorny .mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\trambling sperm hidden ash (Sonja).rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\italian sperm cumshot public vagina (Karin).rar.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\black bukkake catfight .mpeg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\fucking several models (Sonja,Britney).mpg.exe	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4432	2412	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 4476	2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe	85
PID 2412 wrote to memory of 4476	2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe	85
PID 2412 wrote to memory of 4476	2412	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe	85
PID 4476 wrote to memory of 1812	4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe	86
PID 4476 wrote to memory of 1812	4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe	86
PID 4476 wrote to memory of 1812	4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe	86
PID 4476 wrote to memory of 2680	4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe	94
PID 4476 wrote to memory of 2680	4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe	94
PID 4476 wrote to memory of 2680	4476	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe	94
PID 1812 wrote to memory of 816	1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe	95
PID 1812 wrote to memory of 816	1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe	95
PID 1812 wrote to memory of 816	1812	8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe	95

C:\Users\Admin\AppData\Local\Temp\8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
"C:\Users\Admin\AppData\Local\Temp\8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
  "C:\Users\Admin\AppData\Local\Temp\8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
    "C:\Users\Admin\AppData\Local\Temp\8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
      "C:\Users\Admin\AppData\Local\Temp\8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe"
      4⤵
      PID:816
- - C:\Users\Admin\AppData\Local\Temp\8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe
    "C:\Users\Admin\AppData\Local\Temp\8fe24cddfb206aff5a56a2d7348634936f232f6fbfcacc912f5a85072cf23bae.exe"
    3⤵
    PID:2680
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 940
  2⤵
  - Program crash
  PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2412 -ip 2412
1⤵
PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian kicking hot (!) beautyfull .rar.exe

Filesize
1.5MB

MD5
46b891a44d8941906e2b4fb65d93ccb9

SHA1
4ff811a3d9faf4933cdb061f7b6fa0cd492f8e78

SHA256
e84481cc39422bd4528bb159561ebb13ef7db27f098a35885d9bb38df5e574ef

SHA512
4dec7f5bca6a0405d1bc30e6d78f5cb47019dd5257654810b53d9c3d059fcad0648eabfafc30025902d15c5ee9978db64cb9763ca43bb56a7c33ea6ecd1ed5aa

Download Submit