8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
Size

822KB
MD5

63ba2df1b91537b4c665f274c2572b71
SHA1

6e9b00e993013c3d04929ea040420ac37326b236
SHA256

8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec
SHA512

8950fb995461dc4e4569a9099dcd05a8434803d3068b957107fc9f294bec3bbad26ded008677a763c6a96d2f74fa0733677cde09c4222dc0b813710c3a21afc7
SSDEEP

12288:bPKL8FN5r6hYF8MHeLPPzXXDLTXCsDYIWmTd6YSVezJFHJM2zqY+f5Pe+H9kkGL8:bSLgEhIqPbcI2dezBr69k0LsDcz

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b80-5.dat	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5000-0-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-5.dat	upx
behavioral2/memory/2916-71-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/456-168-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4508-169-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/5000-193-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/2916-197-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/456-200-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4508-201-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\L:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\O:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\Q:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\R:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\T:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\Z:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\G:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\I:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\M:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\P:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\S:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\V:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\X:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\Y:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\B:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\H:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\J:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\E:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\K:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\N:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\U:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File opened (read-only)	\??\W:	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\porn uncut upskirt .rar.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\indian gang bang [milf] cock bedroom .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\asian beastiality [milf] leather .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\SysWOW64\IME\SHARED\horse horse big 50+ .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\russian beast fetish masturbation redhair .zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\SysWOW64\config\systemprofile\japanese blowjob lesbian full movie hole .zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\System32\DriverStore\Temp\spanish cum fetish licking mature .avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\SysWOW64\IME\SHARED\norwegian gang bang gang bang lesbian YEâPSè& .avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\canadian lingerie several models .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\SysWOW64\config\systemprofile\tyrkish handjob sleeping leather .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\SysWOW64\FxsTmp\british lingerie porn several models traffic .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\fucking hot (!) circumcision .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\kicking catfight .rar.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\cum porn uncut hotel .rar.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\xxx hot (!) (Sylvia,Sonja).rar.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files (x86)\Google\Temp\hardcore trambling masturbation boobs (Anniston).zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files (x86)\Google\Update\Download\gang bang public bedroom .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\french hardcore licking hairy (Tatjana).mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\lesbian public bedroom (Kathrin,Jade).mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\norwegian animal lesbian hidden leather .mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files\dotnet\shared\beast uncut cock .avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\horse gay [bangbus] (Janette,Sonja).mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\russian action voyeur feet shoes .mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\canadian gang bang lesbian voyeur mistress (Samantha).avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\norwegian sperm [milf] balls .zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\blowjob public blondie .mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\french nude girls castration (Tatjana,Sonja).zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files\Microsoft Office\root\Templates\spanish porn sleeping ash .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\animal several models ash wifey .avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\tyrkish nude hot (!) .rar.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\lesbian fetish full movie (Anniston,Jenna).zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\tyrkish beast masturbation (Sandy).zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\beast hot (!) ash (Britney).avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\indian handjob licking latex (Sylvia,Jade).avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\black lesbian lesbian girls cock sm .avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\british kicking full movie .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\brasilian fetish licking .rar.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\beast gay [free] Ôï (Kathrin,Sarah).avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\canadian trambling lesbian [free] balls (Sandy,Karin).zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\japanese porn sleeping lady .zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\german cumshot animal girls gorgeoushorny .rar.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\blowjob fetish public .zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\gay voyeur vagina bondage .avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\brasilian xxx cumshot masturbation high heels (Melissa).mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\beast sleeping (Sonja,Tatjana).avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\brasilian hardcore [milf] vagina ejaculation .avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\french horse action [bangbus] ash (Sonja).mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\swedish bukkake blowjob girls shoes (Ashley,Anniston).zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\gang bang kicking several models (Britney).rar.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\trambling fucking sleeping shoes (Sonja).zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\xxx uncut feet swallow .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\american fucking beastiality big .avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\american cum lesbian nipples castration .mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\malaysia gay cumshot sleeping titts redhair (Melissa).zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\swedish cumshot handjob big nipples (Kathrin,Britney).rar.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\indian horse beastiality [free] mistress .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\hardcore trambling catfight (Liz).mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\asian cumshot catfight YEâPSè& .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\asian fetish [free] high heels (Melissa).mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\russian kicking handjob voyeur legs boots .rar.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\german horse [bangbus] ejaculation .avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\blowjob uncut (Sylvia,Karin).mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\handjob porn public .mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\german cumshot horse hot (!) legs (Liz).mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\xxx lesbian shoes .zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\canadian horse beast [milf] glans .rar.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\sperm blowjob [free] (Ashley).mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\indian handjob voyeur bondage .mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\italian trambling hardcore several models ash femdom (Liz,Sonja).avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\nude uncut Ôï .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\french xxx blowjob catfight .avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\brasilian porn big glans young .zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\german beastiality action catfight .avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..mon-sharedresources_31bf3856ad364e35_10.0.19041.1_none_5417ea1f38dbb76b\black nude several models .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\lingerie bukkake hidden feet circumcision .mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\cum several models high heels (Anniston,Britney).zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\swedish action sleeping nipples high heels .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\horse gay hidden (Melissa).mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\japanese fetish trambling uncut (Christine,Sarah).mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\german animal gang bang hidden fishy .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\italian trambling cum voyeur titts .zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\horse blowjob voyeur feet .avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\african lesbian uncut stockings .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_en-us_8dd6053a0a5910eb\norwegian xxx girls shower .rar.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\german kicking uncut glans .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\asian hardcore xxx several models lady (Sonja,Sarah).mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\norwegian xxx several models black hairunshaved (Sonja).mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\tyrkish gay sleeping castration .rar.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\InputMethod\SHARED\horse [bangbus] boots .avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\russian lingerie gang bang uncut boobs 40+ (Jade,Christine).avi.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\russian kicking uncut vagina girly .mpeg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\porn gay licking .zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\cum sleeping feet swallow .mpg.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
File created	C:\Windows\assembly\temp\black beast beast uncut .zip.exe	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
4508	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
4508	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
4508	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
4508	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
4508	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
4508	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
4508	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
4508	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
4508	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
4508	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
4508	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
4508	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
4508	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
4508	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
456	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5000 wrote to memory of 2916	5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe	86
PID 5000 wrote to memory of 2916	5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe	86
PID 5000 wrote to memory of 2916	5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe	86
PID 5000 wrote to memory of 456	5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe	89
PID 5000 wrote to memory of 456	5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe	89
PID 5000 wrote to memory of 456	5000	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe	89
PID 2916 wrote to memory of 4508	2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe	90
PID 2916 wrote to memory of 4508	2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe	90
PID 2916 wrote to memory of 4508	2916	8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe	90

C:\Users\Admin\AppData\Local\Temp\8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
"C:\Users\Admin\AppData\Local\Temp\8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Users\Admin\AppData\Local\Temp\8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
  "C:\Users\Admin\AppData\Local\Temp\8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
    "C:\Users\Admin\AppData\Local\Temp\8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4508
- C:\Users\Admin\AppData\Local\Temp\8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe
  "C:\Users\Admin\AppData\Local\Temp\8818720a3fd582d8d863ca73a66ebb76bb15e393610143e96a706f3f9c792fec.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\horse gay [bangbus] (Janette,Sonja).mpeg.exe

Filesize
361KB

MD5
74ce5e2fb780d853f14ec67ba051b3c7

SHA1
f2805d8a44deabf6005372a99349b2cbf9f6fc5f

SHA256
bf93776d75d23addb65122ecf2dac3515687737a3ff183be9cd494c97e245948

SHA512
7d77541ad4e4b000f2e7445d1498208f95a649724e8eb970251bfdd33a2823ba7502b346c1ccf26159c9d0e7623c2cc6ad623a792fa4933139585fc630edbf57

Download Submit
memory/456-168-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/456-200-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2916-71-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2916-197-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4508-169-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4508-201-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5000-0-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5000-193-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download