5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 22:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
Size

1.4MB
MD5

a67437d384f90a8697e77d2f5b499183
SHA1

7b6ec255b7ccc4ab0505c7c87be1c463d591a900
SHA256

5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93
SHA512

e579400bf87aac0c06d056d2b805b2788191c3a34134bda2ed167ba23a5e3d77bf2cbc1337ee46c019cd4a9848ff2205531fb295ac6365453d03c615e6a783c7
SSDEEP

24576:oWp1lqnuUfrQHNCiDzSuiqEII8G7rR7KqHFxdx6tyTbewwyml2GMwRe:VpMrQtCYOu3m8QV7KqlxdpnCyml+Oe

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\J:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\M:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\N:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\Q:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\S:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\T:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\B:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\H:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\K:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\P:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\X:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\Z:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\E:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\L:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\O:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\U:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\V:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\A:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\G:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\R:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\W:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File opened (read-only)	\??\Y:	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\russian gang bang blowjob masturbation cock (Anniston,Karin).rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\System32\DriverStore\Temp\black handjob lesbian voyeur (Sarah).zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\SysWOW64\FxsTmp\horse trambling [free] titts young (Jade).rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\SysWOW64\FxsTmp\trambling [bangbus] (Karin).mpeg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\SysWOW64\IME\SHARED\russian action xxx sleeping hole castration .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\xxx public hole fishy .zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black horse lesbian lesbian cock bondage (Liz).avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\swedish cum xxx lesbian black hairunshaved .zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian nude trambling licking boots .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\SysWOW64\IME\SHARED\russian animal bukkake licking hairy .avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\lingerie sleeping feet .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish beastiality hardcore voyeur hotel (Anniston,Sylvia).rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\swedish horse trambling hot (!) (Sylvia).zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\blowjob hot (!) feet upskirt .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files (x86)\Google\Temp\black kicking fucking public .avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files\Common Files\microsoft shared\xxx licking (Sarah).avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\swedish fetish horse public .mpeg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish porn xxx lesbian latex .mpeg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files (x86)\Google\Update\Download\russian cumshot gay [bangbus] feet beautyfull .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\lingerie hot (!) .mpeg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\indian cum gay uncut .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\beast catfight .avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\malaysia lingerie catfight femdom .zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\trambling hidden .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\hardcore uncut .mpeg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\tyrkish cum beast hidden glans stockings (Curtney).mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\japanese porn hardcore uncut .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files\dotnet\shared\trambling big titts stockings .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Program Files\Microsoft Office\root\Templates\american porn blowjob hot (!) cock girly (Liz).rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\black animal gay girls hole leather .mpeg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\brasilian porn gay voyeur .zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\swedish kicking fucking public .zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\cum trambling licking hole shower .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\japanese handjob trambling big hole .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\danish fetish beast masturbation shoes .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\assembly\tmp\blowjob uncut (Liz).avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\porn trambling full movie redhair (Sonja,Melissa).zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\porn blowjob sleeping feet upskirt (Samantha).mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\bukkake public .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\CbsTemp\brasilian action beast uncut bondage .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\spanish sperm voyeur glans swallow .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\assembly\temp\indian nude xxx masturbation hole high heels .avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\german bukkake catfight titts redhair .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\norwegian bukkake sleeping feet granny .zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\asian trambling lesbian (Tatjana).mpeg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\Downloaded Program Files\bukkake hot (!) .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\trambling hidden granny .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\gang bang xxx several models (Liz).avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\brasilian animal lesbian full movie redhair (Kathrin,Curtney).mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\british sperm [bangbus] cock 40+ .zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\handjob beast lesbian redhair .avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.746_none_822bf1ada1526fa8\african blowjob public circumcision .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\spanish horse hot (!) titts YEâPSè& (Tatjana).zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\french gay public bondage .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\german trambling uncut hole swallow (Jade).avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\french trambling hot (!) titts .zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\american fetish hardcore lesbian pregnant .mpeg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\black horse trambling hidden redhair .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\french bukkake [milf] hole girly (Sylvia).mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\mssrv.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\fetish lingerie sleeping Ôï .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\lesbian big ejaculation (Anniston,Samantha).rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\malaysia sperm catfight .mpeg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\black cumshot hardcore licking shower .avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\spanish sperm hidden high heels .mpeg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\gang bang blowjob [milf] feet swallow .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\asian horse public (Curtney).rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\horse uncut .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\lesbian uncut mistress .zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\spanish horse lesbian (Curtney).rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\italian porn hardcore [milf] feet shower .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\action lingerie voyeur mature .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\lesbian girls feet traffic .avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\chinese blowjob public .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\norwegian sperm uncut (Tatjana).zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_en-us_8dd6053a0a5910eb\blowjob masturbation ejaculation (Sonja,Sarah).avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\InstallTemp\lesbian hot (!) .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\SoftwareDistribution\Download\blowjob several models young .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\bukkake hot (!) titts .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\horse xxx several models (Tatjana).mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\spanish xxx [free] latex (Gina,Samantha).rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\american animal sperm public hole traffic .avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\malaysia hardcore several models glans castration (Samantha).mpeg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\horse girls stockings .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\malaysia lesbian hot (!) .zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\tyrkish fetish bukkake [bangbus] .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\swedish kicking blowjob several models .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\norwegian trambling voyeur feet .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\lesbian licking feet .mpeg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\american action horse hot (!) feet castration .zip.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\cumshot trambling several models cock girly .mpg.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\beast hidden .rar.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\beast hidden high heels .avi.exe	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
2696	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
2696	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
2696	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
2696	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
2696	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
2696	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
2696	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
2696	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
2696	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
2696	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
2696	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
2696	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
2696	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
2696	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
3296	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 4376	3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe	88
PID 3000 wrote to memory of 4376	3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe	88
PID 3000 wrote to memory of 4376	3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe	88
PID 3000 wrote to memory of 3296	3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe	93
PID 3000 wrote to memory of 3296	3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe	93
PID 3000 wrote to memory of 3296	3000	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe	93
PID 4376 wrote to memory of 2696	4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe	94
PID 4376 wrote to memory of 2696	4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe	94
PID 4376 wrote to memory of 2696	4376	5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe	94

C:\Users\Admin\AppData\Local\Temp\5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
"C:\Users\Admin\AppData\Local\Temp\5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
  "C:\Users\Admin\AppData\Local\Temp\5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
    "C:\Users\Admin\AppData\Local\Temp\5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2696
- C:\Users\Admin\AppData\Local\Temp\5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe
  "C:\Users\Admin\AppData\Local\Temp\5d292130948243fd68f229a7a1f38f19b45aa794241a93a808dbf4089ac1aa93.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish porn xxx lesbian latex .mpeg.exe

Filesize
381KB

MD5
a496276e10d3fbfab7aa3cdbfceccc65

SHA1
6739fd2b48a8d5dfeb02f0ef602d3d7bd8c0c08b

SHA256
c098899dbd69862627115c91eb014476871c8eb5fa994ef183e3e04ba13554e2

SHA512
fab7ea84e30e0ec41ca270d8af63e2210eedc168e15c3dd3c109c6f4e638f7a5a937fdb274f75f933acaaea216947378e0bbdd54239da8ecf05d8a521437109c

Download Submit