8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77

Analysis

max time kernel
150s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
Size

901KB
MD5

36e6f1987dafb002b19404c9508c6a3a
SHA1

d84face4a94cf065d319c3b2339931bc2c678e53
SHA256

8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77
SHA512

6ace91d5a5f9e67acea49a52634456842139174ae49cdaa1a1867c18dc0dc73658a54b14b5d8935462bc4f199609b9c2eb273f8fc7b7ea4c34d119e24286f771
SSDEEP

12288:JXCNi9B0DfNFHvV0lJUAhUmuW9U2UwMT/XB9lawaY7w8G+wLpyoF3vMFO/zdXxM4:sWanPKlrhUOaTZLf7w8G+syoF9ERe

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\U:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\B:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\H:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\K:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\M:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\O:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\P:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\X:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\A:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\E:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\J:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\R:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\S:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\Z:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\G:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\Q:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\V:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\W:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\I:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\L:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\N:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\Y:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogFiles\Fax\Incoming\black lesbian gang bang hot (!) .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\horse sleeping .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\chinese fucking handjob catfight fishy .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\config\systemprofile\canadian horse animal voyeur .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\IME\SHARED\italian porn [bangbus] .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black nude masturbation .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american bukkake beast hot (!) glans lady (Anniston,Karin).avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\config\systemprofile\fucking [bangbus] wifey .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\System32\DriverStore\Temp\african bukkake [free] .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\FxsTmp\african animal beast lesbian leather (Sonja).mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\IME\SHARED\indian fetish handjob licking young (Jenna,Melissa).mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\FxsTmp\indian lingerie hot (!) bedroom (Melissa).zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\kicking cumshot girls beautyfull .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\hardcore trambling licking .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Google\Temp\french beast voyeur bondage .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Microsoft\Temp\black nude handjob big balls .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files\dotnet\shared\spanish horse sleeping circumcision .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\american trambling [free] glans YEâPSè& (Jenna).avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\gang bang handjob masturbation sweet .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\danish handjob voyeur nipples castration .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Google\Update\Download\lingerie bukkake catfight sm (Christine).avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\beast porn uncut YEâPSè& .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\canadian xxx hidden hole young .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\fetish public (Karin).mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\horse licking feet (Karin,Sylvia).avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files\Common Files\microsoft shared\african cum full movie pregnant .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files\Microsoft Office\root\Templates\horse girls legs granny .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\fetish public .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\spanish handjob several models .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\norwegian xxx porn hidden redhair .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\russian sperm cumshot [bangbus] balls .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\british animal lingerie [free] .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\japanese hardcore sleeping .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\asian bukkake hidden titts (Britney).avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\chinese horse masturbation mature .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\italian fucking kicking uncut .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\CbsTemp\british cum animal uncut feet hairy .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\animal lesbian shower .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\canadian blowjob nude [milf] ash .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\chinese beastiality several models .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\beast xxx public .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\horse porn licking titts mature .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\gay hidden girly .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\norwegian horse sleeping 40+ .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\chinese xxx [milf] .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\tyrkish sperm handjob catfight titts mistress .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\asian xxx animal girls .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\sperm voyeur (Jade).rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\brasilian gay bukkake masturbation pregnant .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\swedish xxx fetish licking glans fishy .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\gang bang gay several models gorgeoushorny (Sylvia,Sarah).zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\swedish animal fucking masturbation fishy .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\InstallTemp\brasilian horse big (Sandy).rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\animal hot (!) ash blondie (Kathrin).mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\spanish lesbian bukkake catfight gorgeoushorny (Jade).avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\tyrkish cumshot beastiality catfight ash .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\kicking hot (!) femdom .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\british fucking kicking sleeping boobs girly (Christine).mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\british fetish sperm [milf] legs mature .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_21122d7205c6f5b9\african xxx horse sleeping (Kathrin).mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\xxx sleeping nipples traffic .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\trambling public (Curtney,Kathrin).mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\PLA\Templates\fetish handjob big high heels .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\gang bang [milf] shower (Britney,Christine).avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\italian hardcore big penetration .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\handjob hot (!) .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\african beastiality [milf] boobs mistress .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\british fucking masturbation gorgeoushorny .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\japanese sperm lesbian public boots (Sylvia,Gina).mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\mssrv.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\malaysia fucking hardcore [free] hotel .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\japanese horse action catfight vagina (Jade).zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\swedish bukkake [bangbus] .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\indian lesbian voyeur cock .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\swedish trambling gay masturbation feet .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\black bukkake [milf] mistress (Liz,Janette).zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\handjob lesbian several models mature .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\brasilian blowjob full movie nipples .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\beastiality lesbian cock femdom (Sonja).mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\blowjob public balls (Samantha).mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\african gay several models ash .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\horse [milf] feet girly .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\norwegian blowjob several models .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\trambling several models YEâPSè& .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\lesbian [bangbus] vagina femdom .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\asian nude gang bang hidden Ôï .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\nude girls .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\fucking lesbian several models castration (Sandy).zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\american porn several models ash lady (Jenna,Christine).avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\horse public .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\british lesbian hot (!) legs leather .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\black blowjob handjob licking girly .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\german hardcore sleeping .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\hardcore several models .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4836	3956	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2664	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2664	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2664	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2664	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2664	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2664	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2664	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2664	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2664	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2664	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2664	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2664	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2664	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2664	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3148	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 1372	3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	84
PID 3956 wrote to memory of 1372	3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	84
PID 3956 wrote to memory of 1372	3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	84
PID 3956 wrote to memory of 3148	3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	85
PID 3956 wrote to memory of 3148	3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	85
PID 3956 wrote to memory of 3148	3956	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	85
PID 1372 wrote to memory of 2664	1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	86
PID 1372 wrote to memory of 2664	1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	86
PID 1372 wrote to memory of 2664	1372	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	86

C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
"C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
  "C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
    "C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2664
- C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
  "C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 1844
  2⤵
  - Program crash
  PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3956 -ip 3956
1⤵
PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\fetish public .rar.exe

Filesize
378KB

MD5
c3b323ea404f27144f391cf50d169d33

SHA1
2e5966c61fb3c8778d05d827e41c57b019e64068

SHA256
debf0b77d89954f7eed470e13ac0aea757d0fd669bf7664df8bfe2bceb023123

SHA512
0030011a8aa2344465eafc807b7039b4a7fc3832baa472154d667d5ec3c6f702d2dec6c7fc2991bd29cfbd60639ecc6f2ccc298ce0a24d86d8321e1006471e99

Download Submit