3ea832fd458d184da246fc6a75de0e5934bfae77b3551fc4af96556e9f31887c

Analysis

max time kernel
150s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d54f1fd64c2701a083fe12ffa3fded0.exe
Size

513KB
MD5

1d54f1fd64c2701a083fe12ffa3fded0
SHA1

638522c2c1a388951219b2e0c2ebd14f91865f3b
SHA256

3ea832fd458d184da246fc6a75de0e5934bfae77b3551fc4af96556e9f31887c
SHA512

b92e3448dc7bb38a1c243d39d044a8303e81e15489c5f355715af0ea954811a0fb9686d96f9ec5b7ac6147ded25ef473f40620ece3b8c169af8eba8efdc34db8
SSDEEP

12288:JXCNi9B8YFG1Yx4Cm0sL2PkoCFnAHLZlVsG5gEng4ulA:sWrG1e4CmlL2PvCFY/iGiEnDulA

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	1d54f1fd64c2701a083fe12ffa3fded0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	1d54f1fd64c2701a083fe12ffa3fded0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	1d54f1fd64c2701a083fe12ffa3fded0.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\M:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\P:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\X:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\E:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\N:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\R:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\S:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\T:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\V:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\W:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\B:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\G:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\J:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\L:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\Q:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\Y:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\A:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\H:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\I:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\O:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\U:	1d54f1fd64c2701a083fe12ffa3fded0.exe
File opened (read-only)	\??\Z:	1d54f1fd64c2701a083fe12ffa3fded0.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\tyrkish porn horse lesbian .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american cumshot xxx full movie .mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\SysWOW64\FxsTmp\chinese gay masturbation .mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\System32\DriverStore\Temp\hardcore catfight hole (Sonja,Melissa).zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\SysWOW64\IME\SHARED\swedish kicking lesbian hidden glans .rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\brasilian cum blowjob voyeur hole .mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\danish horse gay masturbation 40+ .mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\trambling public titts .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\SysWOW64\FxsTmp\american handjob blowjob licking (Samantha).mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\SysWOW64\IME\SHARED\danish kicking fucking girls penetration (Anniston,Karin).rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\fucking [milf] bedroom .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\russian kicking beast sleeping femdom (Jenna,Melissa).zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\danish action trambling public cock .mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files\Microsoft Office\root\Templates\lingerie big feet blondie (Karin).rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\italian kicking lingerie [bangbus] ash .mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files\Common Files\microsoft shared\danish beastiality xxx sleeping fishy .rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\danish animal bukkake voyeur leather .zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\black beastiality blowjob [free] hole .zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\trambling voyeur (Samantha).mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files (x86)\Google\Update\Download\gay full movie cock ash .mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\japanese fetish bukkake big swallow (Britney,Karin).mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\swedish cum lingerie hot (!) (Sarah).mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\norwegian lesbian public balls (Gina,Liz).rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\indian animal lingerie lesbian traffic (Jenna,Sarah).zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\american horse gay sleeping (Curtney).rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files (x86)\Microsoft\Temp\lingerie [bangbus] girly .rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\sperm girls hole (Sonja,Sylvia).zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\swedish cumshot sperm masturbation 50+ .rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\blowjob [free] cock penetration .zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Program Files (x86)\Google\Temp\tyrkish fetish gay uncut Ôï .mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\lesbian full movie (Karin).rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\brasilian animal bukkake lesbian stockings .rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\sperm lesbian boots (Sonja,Melissa).mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\russian cum xxx full movie feet .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\swedish handjob blowjob voyeur .mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\security\templates\horse lesbian .zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\handjob trambling licking high heels .rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\japanese gang bang sperm voyeur feet .rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.746_none_822bf1ada1526fa8\kicking fucking licking (Janette).mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\trambling uncut feet (Sonja,Sylvia).avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\kicking lingerie hot (!) feet 50+ (Curtney).zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\beast big (Sylvia).rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\action fucking public femdom .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\malaysia lesbian sleeping circumcision .zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\german beast [milf] feet (Sonja,Janette).mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca03036af4a5017e\lingerie hot (!) .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\black kicking beast lesbian traffic .rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\danish cumshot sperm several models .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\american beastiality gay masturbation .zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\african blowjob licking (Janette).rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\spanish xxx catfight glans (Sonja,Tatjana).mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\german blowjob hot (!) hotel .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\british bukkake public hole femdom (Curtney).zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\beast hidden .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\action blowjob public hotel .rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\beastiality horse hidden (Sarah).rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\swedish animal blowjob sleeping .mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\danish animal lingerie lesbian (Liz).zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\horse beast [milf] cock .mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\trambling full movie cock (Sandy,Melissa).rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\hardcore hidden mistress (Anniston,Samantha).rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\italian fetish beast lesbian upskirt .mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\german trambling lesbian black hairunshaved .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\swedish porn xxx full movie glans (Christine,Janette).mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\gang bang lingerie lesbian cock shoes (Melissa).mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\gang bang xxx uncut titts gorgeoushorny .rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\german beast sleeping hotel .mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\french bukkake uncut (Karin).mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\chinese xxx lesbian titts beautyfull .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\african beast sleeping hole shower (Tatjana).mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_21122d7205c6f5b9\bukkake lesbian fishy .rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\gang bang fucking lesbian bedroom (Anniston,Jade).zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\action lingerie sleeping (Curtney).mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\canadian gay girls young .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\action hardcore voyeur feet .mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\hardcore catfight glans (Kathrin,Liz).rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\beastiality lingerie masturbation high heels .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\danish action xxx [free] hole gorgeoushorny .zip.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\indian kicking trambling uncut balls (Britney,Tatjana).mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\hardcore uncut glans .mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\cum blowjob public glans .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\african lesbian hot (!) .mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\danish animal lingerie full movie glans (Sonja,Melissa).rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\black kicking lingerie [bangbus] hole upskirt .rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\lingerie full movie sweet .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\blowjob several models feet .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\malaysia xxx full movie cock .mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\american kicking blowjob [bangbus] hole .mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\gay sleeping hole stockings (Janette).mpg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\blowjob big .rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\brasilian cum bukkake big cock bondage (Curtney).mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\malaysia beast public high heels .mpeg.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\gang bang trambling uncut glans YEâPSè& .avi.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\african sperm hidden swallow (Kathrin,Curtney).rar.exe	1d54f1fd64c2701a083fe12ffa3fded0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
220	1476	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
1660	1d54f1fd64c2701a083fe12ffa3fded0.exe
1660	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
1660	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
1660	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
1660	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
1660	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
1660	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
1660	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
1660	1d54f1fd64c2701a083fe12ffa3fded0.exe
1660	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
1660	1d54f1fd64c2701a083fe12ffa3fded0.exe
1660	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
1660	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
1476	1d54f1fd64c2701a083fe12ffa3fded0.exe
1660	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
4188	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe
2024	1d54f1fd64c2701a083fe12ffa3fded0.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4188	1476	1d54f1fd64c2701a083fe12ffa3fded0.exe	84
PID 1476 wrote to memory of 4188	1476	1d54f1fd64c2701a083fe12ffa3fded0.exe	84
PID 1476 wrote to memory of 4188	1476	1d54f1fd64c2701a083fe12ffa3fded0.exe	84
PID 1476 wrote to memory of 2024	1476	1d54f1fd64c2701a083fe12ffa3fded0.exe	85
PID 1476 wrote to memory of 2024	1476	1d54f1fd64c2701a083fe12ffa3fded0.exe	85
PID 1476 wrote to memory of 2024	1476	1d54f1fd64c2701a083fe12ffa3fded0.exe	85
PID 4188 wrote to memory of 1660	4188	1d54f1fd64c2701a083fe12ffa3fded0.exe	86
PID 4188 wrote to memory of 1660	4188	1d54f1fd64c2701a083fe12ffa3fded0.exe	86
PID 4188 wrote to memory of 1660	4188	1d54f1fd64c2701a083fe12ffa3fded0.exe	86

C:\Users\Admin\AppData\Local\Temp\1d54f1fd64c2701a083fe12ffa3fded0.exe
"C:\Users\Admin\AppData\Local\Temp\1d54f1fd64c2701a083fe12ffa3fded0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\1d54f1fd64c2701a083fe12ffa3fded0.exe
  "C:\Users\Admin\AppData\Local\Temp\1d54f1fd64c2701a083fe12ffa3fded0.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\1d54f1fd64c2701a083fe12ffa3fded0.exe
    "C:\Users\Admin\AppData\Local\Temp\1d54f1fd64c2701a083fe12ffa3fded0.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1660
- C:\Users\Admin\AppData\Local\Temp\1d54f1fd64c2701a083fe12ffa3fded0.exe
  "C:\Users\Admin\AppData\Local\Temp\1d54f1fd64c2701a083fe12ffa3fded0.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1232
  2⤵
  - Program crash
  PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1476 -ip 1476
1⤵
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\danish animal bukkake voyeur leather .zip.exe

Filesize
1.8MB

MD5
6cb12b8b133bbb64a3aea3803af078ca

SHA1
6fa63a7d0af92d22a1780a051e3d3dc1453a9963

SHA256
49be2775045597f972b60cad4ba8097af3d451ce33961be3b2b6cfa3af7580c9

SHA512
6d32b7c2cf13b99c39a7ee540754dca243c704d59dbfe84042052a70020860176c73b4d74c8484173d1f7fa7e1a7e737f3174eca4888626d9c4c17fb7380c19a

Download Submit