20d01f15845ea81efc5ac21b7e2f14cc0d5d85510d8a866bf6ab3e98caf5cfde

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46fb2f80361d9ee598f6a33d5dcc4ac0.exe
Size

1.0MB
MD5

46fb2f80361d9ee598f6a33d5dcc4ac0
SHA1

037a6eb7ce54aa3b0ab827ba54378cb2d8156cd1
SHA256

20d01f15845ea81efc5ac21b7e2f14cc0d5d85510d8a866bf6ab3e98caf5cfde
SHA512

fbc1b1c2a65a4359cdce9f0270b2e7e1e81b3acf5cc93b785efd040fe5f8d3ccf659bdf788cab87788c5d7121d03aa56c434373e6c66701c06f0a69919f1c120
SSDEEP

24576:oWCU12Y/QF22fEw/t8JS3rzVN3MxGd+t8CkIb+wDxviSOGwjfF4jg9sPm:V7h/h2fE4t8I3rMxGukXwYGqfF4jZPm

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1015551233-1106003478-1645743776-1000\Control Panel\International\Geo\Nation	46fb2f80361d9ee598f6a33d5dcc4ac0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	46fb2f80361d9ee598f6a33d5dcc4ac0.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\V:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\W:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\Z:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\X:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\Y:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\A:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\H:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\L:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\R:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\N:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\P:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\U:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\E:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\G:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\I:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\J:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\S:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\T:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\B:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\K:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\O:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\Q:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american handjob sperm [free] titts ash (Sarah).rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\FxsTmp\xxx voyeur fishy .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\IME\SHARED\xxx girls penetration .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black gang bang bukkake public .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\japanese beastiality hardcore [free] .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\tyrkish cum lesbian [milf] latex .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\japanese porn fucking [bangbus] 40+ .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black cum lesbian big feet black hairunshaved .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\italian porn beast sleeping titts (Christine,Melissa).rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\System32\DriverStore\Temp\hardcore voyeur .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\FxsTmp\porn gay [bangbus] black hairunshaved .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\IME\SHARED\brasilian kicking beast masturbation hole balls (Sarah).mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Download\blowjob voyeur .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\hardcore public fishy (Sonja,Karin).zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\japanese animal gay hot (!) sweet .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\bukkake full movie .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\american gang bang fucking [bangbus] fishy .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Microsoft\Temp\russian fetish horse sleeping feet ejaculation .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files\Microsoft Office\root\Templates\brasilian cum lingerie masturbation hole .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\blowjob [milf] cock stockings .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\blowjob voyeur glans 50+ .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\sperm several models glans sweet .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\indian cumshot blowjob uncut shower .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\fucking public cock castration .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\italian nude beast full movie feet fishy (Curtney).mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files\Common Files\microsoft shared\indian horse lingerie [free] balls .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files\dotnet\shared\lingerie big cock (Britney,Samantha).zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\trambling catfight circumcision .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\swedish nude sperm lesbian hole 50+ (Liz).mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Google\Temp\sperm hot (!) blondie .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\Download\italian nude horse masturbation girly .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\black cum sperm voyeur penetration .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\trambling sleeping cock (Jenna,Sarah).zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\german beast big glans .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\fucking girls lady .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\japanese nude fucking voyeur (Melissa).mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\xxx uncut hole mistress .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\lesbian catfight ejaculation .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\cumshot sperm full movie swallow .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\american beastiality bukkake [bangbus] (Tatjana).mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\Temp\beast uncut 40+ (Anniston,Jade).mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\norwegian beast several models YEâPSè& .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\british horse several models glans .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\spanish horse masturbation .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\chinese lesbian [bangbus] boots .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\blowjob [bangbus] .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\black animal hardcore masturbation mature .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\CbsTemp\indian action trambling hot (!) mature .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\indian fetish horse [free] .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\danish animal beast licking (Jade).mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\asian horse sleeping feet Ôï .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_en-us_8dd6053a0a5910eb\british sperm several models bedroom .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\asian gay full movie castration (Gina,Sylvia).mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\Downloaded Program Files\lingerie catfight glans ejaculation (Jade).rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\tyrkish cum lesbian hidden .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\french blowjob [bangbus] beautyfull .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\french trambling full movie glans girly .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\brasilian gang bang beast hidden titts .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\malaysia hardcore lesbian titts .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\russian cumshot beast public hole redhair (Tatjana).mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\japanese action fucking big titts .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\japanese nude beast full movie glans .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\hardcore full movie cock .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\cumshot lesbian [milf] glans granny (Sylvia).mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\african sperm full movie .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\hardcore sleeping leather .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\norwegian horse catfight upskirt .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\trambling voyeur .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\japanese fetish xxx [milf] .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\british bukkake uncut cock ash (Melissa).rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\swedish animal fucking full movie .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\beastiality bukkake [bangbus] .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\brasilian gang bang fucking [milf] titts gorgeoushorny .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\japanese gang bang gay lesbian gorgeoushorny (Christine,Janette).rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\swedish nude gay [milf] ash .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\cum bukkake big hole Ôï .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\trambling hot (!) titts .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\spanish blowjob uncut (Liz).rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\porn fucking hidden mature .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\brasilian beastiality trambling masturbation .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\swedish cum lingerie catfight hole .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\cum xxx sleeping girly .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\norwegian beast hidden .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\handjob gay full movie (Sylvia).avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\canadian horse public glans .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\african hardcore hidden .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\beastiality lesbian public gorgeoushorny .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\canadian sperm sleeping pregnant .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\french hardcore masturbation (Sylvia).zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\brasilian gang bang blowjob [bangbus] fishy .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\malaysia horse big (Curtney).mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\brasilian kicking trambling hidden cock .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\british lingerie public swallow .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\asian lingerie big glans (Ashley,Samantha).zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3728	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3728	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3728	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3728	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3728	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3728	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3728	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3728	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3728	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3728	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3728	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3728	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3728	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3728	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
3872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 4028	3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	85
PID 3392 wrote to memory of 4028	3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	85
PID 3392 wrote to memory of 4028	3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	85
PID 3392 wrote to memory of 3872	3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	86
PID 3392 wrote to memory of 3872	3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	86
PID 3392 wrote to memory of 3872	3392	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	86
PID 4028 wrote to memory of 3728	4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	87
PID 4028 wrote to memory of 3728	4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	87
PID 4028 wrote to memory of 3728	4028	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	87

C:\Users\Admin\AppData\Local\Temp\46fb2f80361d9ee598f6a33d5dcc4ac0.exe
"C:\Users\Admin\AppData\Local\Temp\46fb2f80361d9ee598f6a33d5dcc4ac0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Users\Admin\AppData\Local\Temp\46fb2f80361d9ee598f6a33d5dcc4ac0.exe
  "C:\Users\Admin\AppData\Local\Temp\46fb2f80361d9ee598f6a33d5dcc4ac0.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Users\Admin\AppData\Local\Temp\46fb2f80361d9ee598f6a33d5dcc4ac0.exe
    "C:\Users\Admin\AppData\Local\Temp\46fb2f80361d9ee598f6a33d5dcc4ac0.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3728
- C:\Users\Admin\AppData\Local\Temp\46fb2f80361d9ee598f6a33d5dcc4ac0.exe
  "C:\Users\Admin\AppData\Local\Temp\46fb2f80361d9ee598f6a33d5dcc4ac0.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\blowjob [milf] cock stockings .rar.exe

Filesize
838KB

MD5
1c886e9d9b2490442c24ecf14343e3a4

SHA1
41a80de61a30a83723c85f9c49d31255e2dd6447

SHA256
f636d8eddfad4e7fe237bb850c0c15a2707e2ae53a2b204728b4dbb7b60ffa2f

SHA512
ebba7b5917316939f32ca5124e2ffffa5d52ed27d12409687f7b2f7833fc552c64a5f0350172b32bfb5250e1bfbce359849fae43dcaa562ba1c2c3e388d80b0b

Download Submit