1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
Size

458KB
MD5

1563513f56f0e0be13e117f0c936f3d1
SHA1

3f54ff46b253a29084c6a543b228852ab06e6207
SHA256

1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399
SHA512

63e2e1794f19a0d5ee0b99814cf63d784aedb6d5a88a8b4dafd9d159259957a3e53a01018cd580c329298b4df4277d27319ee4f34e381f4fabddb435457cf91c
SSDEEP

12288:A//vi9BlWRdkNMlkZ89pZNOmk3iqPumB5rA+lbUgTOon:2wlQdkOKZ8pY13iqP5B5rHxxTOg

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002340e-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\J:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\K:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\O:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\Q:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\H:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\M:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\N:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\R:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\T:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\W:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\G:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\L:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\S:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\V:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\X:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\Z:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\A:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\B:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\E:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\P:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\U:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File opened (read-only)	\??\Y:	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\cum trambling hidden pregnant .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\SysWOW64\IME\SHARED\hardcore voyeur titts 50+ .avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\american beastiality hardcore several models glans .zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\gay hot (!) balls .rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\SysWOW64\IME\SHARED\russian animal sperm licking cock ash (Sylvia).rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\brasilian action xxx sleeping glans high heels (Jade).zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse public .mpg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\System32\DriverStore\Temp\swedish cum blowjob masturbation .zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\american nude blowjob [free] balls .avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\SysWOW64\config\systemprofile\hardcore girls gorgeoushorny .mpg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\SysWOW64\FxsTmp\italian kicking lesbian hidden penetration (Gina,Janette).mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\danish kicking xxx [milf] glans 50+ .avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\action bukkake big feet high heels .avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\tyrkish porn blowjob masturbation titts ash .zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\blowjob masturbation young (Jenna,Janette).avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files (x86)\Microsoft\Temp\indian fetish beast [milf] glans .avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files\Microsoft Office\root\Templates\danish action bukkake masturbation titts circumcision .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\russian gang bang lingerie [milf] feet .rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\brasilian nude bukkake hot (!) feet bedroom (Liz).zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files (x86)\Google\Temp\horse hidden femdom .rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files (x86)\Google\Update\Download\swedish cumshot xxx lesbian cock lady .zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files\Common Files\microsoft shared\lingerie [free] titts .rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\beast several models (Samantha).avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\sperm girls titts .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\french fucking [bangbus] feet ¤ç .rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\xxx uncut beautyfull .rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files\dotnet\shared\lingerie catfight (Melissa).zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian cumshot bukkake [free] hole .mpg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\fucking sleeping hole 50+ .zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\beast hot (!) glans gorgeoushorny (Melissa).zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\asian lesbian masturbation stockings .mpg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\assembly\tmp\brasilian kicking lingerie catfight feet .zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\chinese trambling voyeur beautyfull (Sandy,Sarah).rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\german trambling hidden (Sarah).mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\canadian lingerie full movie mature .avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\bukkake public feet 40+ .avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\black horse bukkake [bangbus] .avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\german horse [bangbus] (Sylvia).avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\beastiality bukkake [bangbus] (Liz).avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\hardcore hot (!) (Janette).mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\british beast full movie cock .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..mon-sharedresources_31bf3856ad364e35_10.0.19041.1_none_5417ea1f38dbb76b\asian horse masturbation glans ejaculation .rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\action sperm licking .zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\swedish cumshot bukkake public (Jade).zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\porn fucking licking feet bondage (Liz).mpg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\brasilian gang bang bukkake masturbation feet .rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\Downloaded Program Files\hardcore uncut pregnant .rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\asian sperm hot (!) titts YEâPSè& .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\danish nude blowjob public cock redhair (Karin).avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\handjob hardcore [bangbus] (Melissa).rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\russian cum beast public cock granny .zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\american fetish beast licking cock boots (Liz).mpg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\trambling lesbian YEâPSè& .avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\asian lesbian [bangbus] castration (Christine,Melissa).zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\indian nude bukkake girls hole 40+ .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\CbsTemp\gay girls feet penetration .avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\cumshot trambling masturbation hole mature .zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\kicking beast [milf] (Karin).mpg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\canadian blowjob girls feet beautyfull (Janette).zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\beast [bangbus] .mpg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\fetish hardcore girls glans granny (Liz).mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\swedish beastiality trambling lesbian ejaculation .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\tyrkish handjob lingerie licking .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\swedish beastiality beast big (Melissa).zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\beastiality trambling full movie feet leather .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\spanish trambling masturbation (Curtney).mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\lesbian hidden cock hairy .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\danish porn xxx masturbation titts .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\french hardcore public titts .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\trambling full movie .rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\beastiality sperm [milf] glans .mpg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\german gay public .rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\italian cum trambling full movie wifey .avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\norwegian xxx licking (Sylvia).avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\malaysia horse girls titts .zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\african gay sleeping .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\french xxx public feet ejaculation (Melissa).mpg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\malaysia xxx catfight cock sm .zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\InstallTemp\action hardcore lesbian (Tatjana).mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\american nude beast licking feet .zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\asian trambling [free] .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\danish cum trambling catfight (Karin).mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\PLA\Templates\russian handjob xxx big hotel .rar.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\black cum sperm licking femdom .mpg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\gay sleeping (Liz).avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\american kicking beast lesbian stockings (Gina,Tatjana).mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\beastiality horse several models balls .zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\fetish hardcore licking beautyfull .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\tyrkish handjob trambling sleeping young .mpg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.746_none_292c449ed2edefa3\black gang bang horse hot (!) balls .mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\kicking lingerie [bangbus] wifey .zip.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\fetish horse hot (!) sm .avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\spanish fucking full movie glans balls (Curtney).mpeg.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\animal sperm licking .avi.exe	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
4148	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 4784	3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe	81
PID 3788 wrote to memory of 4784	3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe	81
PID 3788 wrote to memory of 4784	3788	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe	81
PID 4784 wrote to memory of 4148	4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe	82
PID 4784 wrote to memory of 4148	4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe	82
PID 4784 wrote to memory of 4148	4784	1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe	82

C:\Users\Admin\AppData\Local\Temp\1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
"C:\Users\Admin\AppData\Local\Temp\1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Users\Admin\AppData\Local\Temp\1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
  "C:\Users\Admin\AppData\Local\Temp\1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe
    "C:\Users\Admin\AppData\Local\Temp\1d533713fa60e6b990d8db5a4ba07acf818236d840a4a239f28fe358dcb1d399.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian cumshot bukkake [free] hole .mpg.exe

Filesize
876KB

MD5
5af83d29734e1d3c7745aa2b745db093

SHA1
23a2847e31626cef8018c6e1fd092a2458a7035f

SHA256
f39989b84982339f57fb7b379ccf04ba7dd674adbb3677d5aec546f29a195596

SHA512
396ffc0a72fefd4ae11748e798e048a38a809853f1999bfd685c655e5d4a090e0e717aa3fd47906dc4c36e0e27c87cadda31a691aab8ea1ee3163718a5c7b621

Download Submit