d31366f45935d41df509d979f639b2e1fbb3f7e04818aaf36d5102481f75698b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32a43ca1c42bd173f3395cd3b2674750.exe
Size

286KB
MD5

32a43ca1c42bd173f3395cd3b2674750
SHA1

e6acf8a0670bcc0217325ae0cd05dec57f2ba2d3
SHA256

d31366f45935d41df509d979f639b2e1fbb3f7e04818aaf36d5102481f75698b
SHA512

8a8c9e635ecaa109d6557d672f0348d012f42a0867ecf0f642dd288ab412043ff00f01b66e21286a32262ab3ff3f6d76d0694218d7e393ede8afb49c5408a309
SSDEEP

6144:dXC4vgmhbIxs3NBBlc+eJhxatKx9lRyQVqdUh3IHnO2USJMEV5QQ1y60GCX:dXCNi9B/cvQt09by5yIHnO2NwQ1f0Gy

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	32a43ca1c42bd173f3395cd3b2674750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Control Panel\International\Geo\Nation	32a43ca1c42bd173f3395cd3b2674750.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	32a43ca1c42bd173f3395cd3b2674750.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\A:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\B:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\I:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\L:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\P:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\Q:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\Z:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\E:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\G:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\M:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\N:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\O:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\X:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\H:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\T:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\U:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\J:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\K:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\S:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\V:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\W:	32a43ca1c42bd173f3395cd3b2674750.exe
File opened (read-only)	\??\Y:	32a43ca1c42bd173f3395cd3b2674750.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\brasilian nude fucking licking pregnant .mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\SysWOW64\config\systemprofile\indian nude lingerie hidden traffic (Ashley,Liz).mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\SysWOW64\FxsTmp\danish beastiality fucking public hole YEâPSè& .zip.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\horse uncut beautyfull .mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\tyrkish beastiality xxx sleeping hole leather (Melissa).avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\SysWOW64\IME\SHARED\beast girls castration .rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\russian action gay lesbian titts .rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\SysWOW64\FxsTmp\fetish blowjob [bangbus] Ôï .rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\sperm licking hole (Jenna,Melissa).rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\SysWOW64\IME\SHARED\nude lesbian uncut hotel (Sandy,Sarah).mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\SysWOW64\config\systemprofile\brasilian animal blowjob [milf] (Janette).rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\System32\DriverStore\Temp\brasilian cum blowjob big (Jade).zip.exe	32a43ca1c42bd173f3395cd3b2674750.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish kicking trambling [free] feet .rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\beast [free] upskirt .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\italian nude bukkake several models ash .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\lesbian public \Û .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files (x86)\Google\Update\Download\gay lesbian latex .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\indian action fucking lesbian (Melissa).avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\gay girls cock black hairunshaved .zip.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files (x86)\Google\Temp\american gang bang gay uncut (Tatjana).rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files\Common Files\microsoft shared\lingerie lesbian beautyfull .avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files\dotnet\shared\tyrkish horse sperm uncut titts blondie .avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files\Microsoft Office\root\Templates\indian porn xxx lesbian .mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\gay hidden 40+ .rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\fucking hot (!) (Jade).rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\fucking big castration .mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\sperm hot (!) .mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files (x86)\Microsoft\Temp\sperm sleeping blondie .rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\russian beastiality lesbian masturbation lady .zip.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\xxx hidden hole .zip.exe	32a43ca1c42bd173f3395cd3b2674750.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\CbsTemp\danish handjob blowjob full movie castration .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\norwegian xxx public (Sylvia).zip.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\horse sleeping glans upskirt .avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\brasilian porn horse [free] hairy .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\russian fetish bukkake uncut .mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\lesbian uncut mistress .mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\swedish cumshot sperm catfight (Janette).mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\kicking sperm catfight feet castration .rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\fetish bukkake lesbian blondie .zip.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\brasilian beastiality lingerie uncut black hairunshaved .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\animal sperm licking shoes (Jenna,Karin).avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\asian xxx [bangbus] (Jade).avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\Temp\russian gang bang lingerie big (Sarah).avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\african lesbian masturbation feet circumcision (Sylvia).zip.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\beast public titts (Gina,Curtney).zip.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\canadian blowjob masturbation gorgeoushorny .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\indian fetish lesbian [milf] cock black hairunshaved .rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\russian nude blowjob [free] glans .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\mssrv.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\spanish beast [milf] shoes .zip.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\indian kicking lingerie [bangbus] (Sylvia).avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\indian beastiality lesbian uncut (Karin).mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\asian fucking big 40+ .rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\spanish trambling big 50+ .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\animal fucking full movie stockings (Britney,Liz).mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\spanish fucking hot (!) cock .rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\canadian bukkake [milf] stockings (Sonja,Jade).mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\gay public cock girly (Sylvia).rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\nude xxx voyeur black hairunshaved .zip.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\assembly\temp\american kicking xxx lesbian hole circumcision (Janette).avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\chinese lesbian public titts .avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\norwegian lingerie public hole .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\chinese gay full movie titts penetration .zip.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\trambling licking penetration .avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\action blowjob licking .avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\norwegian blowjob several models wifey .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\italian action lesbian girls wifey .mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\chinese blowjob [milf] .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\german bukkake hidden shoes (Jenna,Samantha).mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\kicking sperm uncut fishy .rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\cum lesbian lesbian glans hairy (Jade).rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\spanish horse big Ôï .rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\japanese handjob fucking several models mature .rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\lingerie masturbation (Sylvia).rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\russian beastiality bukkake [bangbus] .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\swedish gang bang bukkake hidden granny (Kathrin,Sarah).avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\black cumshot lesbian masturbation hole upskirt (Tatjana).rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\bukkake hidden glans .mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\porn xxx big .mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\xxx voyeur feet .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\gang bang beast lesbian (Tatjana).rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\nude sperm catfight cock .avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\asian fucking sleeping Ôï .zip.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\xxx masturbation hole .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\american cum xxx sleeping granny (Ashley,Janette).avi.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\InstallTemp\porn hardcore catfight high heels .mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\swedish animal xxx catfight balls .mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\italian fetish lesbian several models glans femdom (Sarah).zip.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\russian porn gay [free] feet pregnant .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\PLA\Templates\indian action trambling uncut pregnant .mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\beastiality blowjob full movie circumcision .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\japanese beastiality bukkake several models Ôï .mpeg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\canadian xxx lesbian .mpg.exe	32a43ca1c42bd173f3395cd3b2674750.exe
File created	C:\Windows\SoftwareDistribution\Download\brasilian horse blowjob full movie feet .rar.exe	32a43ca1c42bd173f3395cd3b2674750.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3512	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
2144	32a43ca1c42bd173f3395cd3b2674750.exe
2144	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
2144	32a43ca1c42bd173f3395cd3b2674750.exe
2144	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
2144	32a43ca1c42bd173f3395cd3b2674750.exe
2144	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
2144	32a43ca1c42bd173f3395cd3b2674750.exe
2144	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
2144	32a43ca1c42bd173f3395cd3b2674750.exe
2144	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
2144	32a43ca1c42bd173f3395cd3b2674750.exe
2144	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
2144	32a43ca1c42bd173f3395cd3b2674750.exe
2144	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3864	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
3512	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe
772	32a43ca1c42bd173f3395cd3b2674750.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 3864	3512	32a43ca1c42bd173f3395cd3b2674750.exe	84
PID 3512 wrote to memory of 3864	3512	32a43ca1c42bd173f3395cd3b2674750.exe	84
PID 3512 wrote to memory of 3864	3512	32a43ca1c42bd173f3395cd3b2674750.exe	84
PID 3864 wrote to memory of 772	3864	32a43ca1c42bd173f3395cd3b2674750.exe	85
PID 3864 wrote to memory of 772	3864	32a43ca1c42bd173f3395cd3b2674750.exe	85
PID 3864 wrote to memory of 772	3864	32a43ca1c42bd173f3395cd3b2674750.exe	85
PID 3512 wrote to memory of 2144	3512	32a43ca1c42bd173f3395cd3b2674750.exe	86
PID 3512 wrote to memory of 2144	3512	32a43ca1c42bd173f3395cd3b2674750.exe	86
PID 3512 wrote to memory of 2144	3512	32a43ca1c42bd173f3395cd3b2674750.exe	86

C:\Users\Admin\AppData\Local\Temp\32a43ca1c42bd173f3395cd3b2674750.exe
"C:\Users\Admin\AppData\Local\Temp\32a43ca1c42bd173f3395cd3b2674750.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Users\Admin\AppData\Local\Temp\32a43ca1c42bd173f3395cd3b2674750.exe
  "C:\Users\Admin\AppData\Local\Temp\32a43ca1c42bd173f3395cd3b2674750.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\32a43ca1c42bd173f3395cd3b2674750.exe
    "C:\Users\Admin\AppData\Local\Temp\32a43ca1c42bd173f3395cd3b2674750.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:772
- C:\Users\Admin\AppData\Local\Temp\32a43ca1c42bd173f3395cd3b2674750.exe
  "C:\Users\Admin\AppData\Local\Temp\32a43ca1c42bd173f3395cd3b2674750.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish kicking trambling [free] feet .rar.exe

Filesize
1.4MB

MD5
afc4e48d53c0eaeb309a6d0978c65e44

SHA1
f61725ecb85a498757117a26abcdd8fe6667888d

SHA256
fa39b83fd505ad642678515eecdf60f640a6053720847defc0e05ed56f91bc58

SHA512
9f8629694a09620c202b8024021227e45c5c4d90d2c55c12552cf0eaffe62efee8d80830ce30b48c8f2a2f8e90e770ba20b26a920ac77ef3ecf2346cf2829dc3

Download Submit
memory/772-209-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3512-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3864-123-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download