f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
Size

982KB
MD5

2197a8e9885ba9c9d8efb4b13d3d8b45
SHA1

30c09b9d87b0487c866f09c7ae9e2a3049993494
SHA256

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da
SHA512

46c94344c9827f30c4f6374e1d03a966d36afd00a4b92f3c493c54eb2c6fbbe6bab3c3740c61d5e52f290c36c0e71e856742c7e4742e9a050e46d2d04f453853
SSDEEP

24576:2wPG4ZzqQyDuQtljBs0PkqwZq9dhoZfIsKuSHpWCtF:h3ZatliGw2dKfIsKuKWiF

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

Processes:

resource yara_rule

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\canadian horse catfight .avi.exe INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

resource	yara_rule
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\canadian horse catfight .avi.exe	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exef612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

description	ioc	process
File opened (read-only)	\??\Q:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\Z:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\G:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\J:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\O:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\R:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\H:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\M:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\P:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\V:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\X:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\E:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\I:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\T:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\L:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\N:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\S:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\U:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\W:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\A:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\B:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\K:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\Y:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

Drops file in System32 directory 12 IoCs

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\chinese gang bang animal [milf] (Liz,Jade).avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\italian gay nude [milf] feet .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\config\systemprofile\french cum porn lesbian .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\FxsTmp\xxx porn girls traffic (Melissa,Karin).mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish gang bang catfight nipples bondage .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\lesbian licking .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\IME\SHARED\japanese fetish cumshot full movie .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\IME\SHARED\french lesbian beastiality several models traffic .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\horse trambling big .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\gang bang licking fishy .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\System32\DriverStore\Temp\black nude voyeur (Karin,Sonja).avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish gay big (Jenna).mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

Drops file in Program Files directory 17 IoCs

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

description	ioc	process
File created	C:\Program Files\Common Files\microsoft shared\xxx girls glans 40+ .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files\Microsoft Office\root\Templates\black xxx gay several models cock .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\indian handjob masturbation .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Google\Temp\american cumshot catfight hotel .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Google\Update\Download\french kicking hidden .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\african nude beastiality sleeping (Britney).avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\action animal public hotel .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\italian gay hidden titts swallow .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\russian lingerie fetish uncut balls .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\tyrkish beast fetish big (Jenna,Sarah).avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\norwegian bukkake girls bondage (Anniston).mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\hardcore girls .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\italian nude gay hidden titts .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\norwegian xxx catfight boots .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\spanish cumshot cum lesbian hole penetration .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files\dotnet\shared\indian gang bang trambling uncut balls (Janette).mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\canadian horse catfight .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

Drops file in Windows directory 64 IoCs

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

description	ioc	process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\canadian gay full movie bedroom .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\lingerie lesbian full movie young .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\action porn public castration .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\gang bang uncut .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\action [bangbus] YEâPSè& .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\spanish porn handjob girls ash .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\action kicking hot (!) legs ash .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\danish fucking uncut .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\norwegian fetish fetish full movie glans young .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\beast cum [milf] glans girly .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\lesbian beastiality sleeping (Jenna,Sonja).zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\russian hardcore uncut hotel .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\brasilian kicking beastiality several models cock (Melissa).zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\russian cumshot [free] .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\sperm public leather .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\malaysia nude public hotel .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\cumshot beastiality masturbation .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\animal lingerie masturbation glans femdom .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\japanese cum horse [free] .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\lingerie girls upskirt .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\blowjob masturbation nipples .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\animal sleeping feet bondage .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\malaysia handjob handjob hidden Ôï (Melissa,Curtney).mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\indian horse animal [bangbus] .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.746_none_292c449ed2edefa3\black hardcore uncut black hairunshaved .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\canadian trambling porn hot (!) redhair .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\PLA\Templates\spanish fetish public (Sarah).mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\fucking cum lesbian redhair .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\brasilian beastiality voyeur YEâPSè& .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\african gang bang voyeur vagina .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\canadian gang bang several models .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\norwegian beast animal several models .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\blowjob hot (!) .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\InstallTemp\nude xxx catfight ash hairy (Sonja,Kathrin).mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\spanish fetish fetish licking young (Jenna).avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\asian fucking full movie sweet (Jenna,Curtney).zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\horse beastiality big boobs .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\african fetish handjob [bangbus] boobs (Jenna,Sonja).avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\cumshot sleeping titts femdom .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\brasilian cumshot gang bang hot (!) ash (Curtney).mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\swedish lesbian girls (Sonja,Samantha).zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\canadian gay lesbian (Sandy,Christine).rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\beastiality horse several models boobs beautyfull .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\hardcore [free] feet swallow .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\russian handjob fetish full movie (Tatjana,Sarah).avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\blowjob action licking bondage .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\assembly\tmp\sperm [bangbus] 50+ .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\french cum hardcore girls .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\french horse fetish hot (!) mature (Janette,Gina).mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\cum [bangbus] young .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\indian gang bang licking vagina .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\action catfight ash hotel .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\lesbian catfight cock boots .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\german animal porn hidden boobs bondage .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\russian sperm lesbian gorgeoushorny (Britney,Britney).mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\spanish handjob big .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\british hardcore sleeping nipples balls .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fetish several models lady .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..mon-sharedresources_31bf3856ad364e35_10.0.19041.1_none_5417ea1f38dbb76b\action lingerie [free] .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\black beastiality [milf] beautyfull .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_en-us_8dd6053a0a5910eb\spanish fetish handjob big (Karin,Samantha).rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\fetish cum hot (!) traffic .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\trambling beastiality hidden boobs .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\fetish uncut feet pregnant .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exef612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exef612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exef612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

pid	process
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
3156	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
4900	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exef612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

description	pid	process	target process
PID 3008 wrote to memory of 2924	3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 3008 wrote to memory of 2924	3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 3008 wrote to memory of 2924	3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 2924 wrote to memory of 4900	2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 2924 wrote to memory of 4900	2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 2924 wrote to memory of 4900	2924	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 3008 wrote to memory of 3156	3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 3008 wrote to memory of 3156	3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 3008 wrote to memory of 3156	3008	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

C:\Users\Admin\AppData\Local\Temp\f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
"C:\Users\Admin\AppData\Local\Temp\f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
"C:\Users\Admin\AppData\Local\Temp\f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924

C:\Users\Admin\AppData\Local\Temp\f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
"C:\Users\Admin\AppData\Local\Temp\f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900

C:\Users\Admin\AppData\Local\Temp\f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
"C:\Users\Admin\AppData\Local\Temp\f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3156

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\canadian horse catfight .avi.exe
Filesize
346KB

MD5
a06d3d6afbf93610001a27eebd8521e9

SHA1
7fc417a614e4f9cf99878002503a839f6b49ced4

SHA256
8f63f36df531bf3afd3ff75d6054532a9a25971b0a8df9b2046430deebefebee

SHA512
fe4627be4e19d14e87d0733d5a081ac63f8d22dc6cda913389baf7f04efc3a0540933254d7e6f6f798bf7ea9c87d1228538bef00bc3a2726c04864a38dc84a79

Download Submit