4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
Size

520KB
MD5

0c33f359163569ceb73dff9c36fc6240
SHA1

c9a85bed124dedd4d41c45084e84aa28a6c8abd9
SHA256

4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2
SHA512

f86b3373daf31a7e94c1cc84c00923465fa4aea6f49e8a251433a4740882afc75dbc0c1991b59442ff822443805d92e63944c7c6f847eb3f914f23fc9fbc8bc5
SSDEEP

12288:zXCNi9BF+6YaHe67wpdXYOVLtAcfs4SgDF:2WF+6YQspdXd8cfNSM

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\O:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\U:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\V:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\N:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\T:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\X:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\I:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\J:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\K:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\L:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\P:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\B:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\E:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\H:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\Q:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\Y:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\M:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\R:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\S:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\Z:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\A:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\F:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File opened (read-only)	\??\G:	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian animal blowjob lesbian glans lady (Tatjana).mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\SysWOW64\IME\shared\horse public glans balls (Sarah).avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\russian fetish fucking [free] black hairunshaved .rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian animal lingerie girls feet blondie .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\SysWOW64\FxsTmp\russian handjob blowjob uncut cock mature .avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish animal bukkake public .mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\System32\DriverStore\Temp\indian cum trambling [bangbus] swallow .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\SysWOW64\FxsTmp\lingerie lesbian feet ash (Liz).mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish animal beast girls hole .rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\SysWOW64\IME\shared\brasilian gang bang sperm licking stockings .avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\black beastiality trambling licking ash .mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\tyrkish horse trambling hidden hole swallow (Samantha).mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Program Files\DVD Maker\Shared\tyrkish cum beast sleeping hairy .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\brasilian action hardcore girls high heels (Jenna,Tatjana).zip.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\fucking sleeping 50+ .mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\black cum lesbian masturbation .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\tyrkish handjob bukkake lesbian glans shower (Tatjana).mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Program Files\Common Files\Microsoft Shared\bukkake [bangbus] cock boots (Janette).rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Program Files\Windows Journal\Templates\blowjob hidden upskirt (Gina,Melissa).mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\trambling hot (!) (Sarah).avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Program Files (x86)\Google\Update\Download\blowjob full movie (Samantha).avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\beast catfight .mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\xxx full movie beautyfull .rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\tyrkish cum beast [free] .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\bukkake big cock .rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\asian sperm several models glans sm .rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\trambling [milf] hole redhair .rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\british blowjob masturbation latex .mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\asian lesbian licking .zip.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\beast several models feet .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\assembly\tmp\japanese action blowjob hot (!) mistress (Britney,Sylvia).avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\british gay licking feet .avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\cum horse public bedroom .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\canadian hardcore public gorgeoushorny (Britney,Liz).rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\porn trambling masturbation cock .avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\danish porn fucking public (Melissa).avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\american animal xxx [bangbus] cock .zip.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\fucking hidden ash .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\fucking big .mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\gay hot (!) .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\gay masturbation shoes (Ashley,Sarah).mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\french lingerie hidden lady (Kathrin,Sylvia).mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\sperm full movie .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\indian nude fucking girls titts hairy (Janette).zip.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\Temp\danish fetish bukkake hot (!) .rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\norwegian gay uncut circumcision .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\hardcore public latex (Sandy,Sarah).mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\swedish nude sperm catfight fishy .avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\lingerie public stockings .mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\french xxx big .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\norwegian sperm masturbation circumcision .mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\action trambling [free] circumcision .rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\gay hidden .rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\kicking hardcore licking (Liz).mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\sperm hot (!) hole black hairunshaved .rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\indian gang bang sperm big ash .zip.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\spanish lingerie big hole .avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\brasilian animal hardcore public castration .mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\italian animal blowjob lesbian mistress .mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\american animal blowjob [bangbus] .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\gang bang lesbian full movie wifey .rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\danish fetish fucking uncut boots (Ashley,Samantha).mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\black beastiality xxx public titts fishy (Jade).mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\lingerie uncut young .zip.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\italian action lingerie licking black hairunshaved .zip.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\InstallTemp\chinese gay hidden (Tatjana).mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\swedish kicking hardcore [free] young .zip.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\PLA\Templates\italian nude gay catfight granny (Sandy,Melissa).mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\italian horse lingerie hidden hole .rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\cumshot lesbian big young (Sandy,Karin).avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\hardcore uncut (Sylvia).zip.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\german hardcore [bangbus] feet (Sandy,Melissa).zip.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\african fucking girls .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\cumshot beast sleeping cock granny .avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\danish nude beast girls wifey .mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\beast several models feet swallow (Curtney).avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\assembly\temp\bukkake several models bondage (Britney,Samantha).avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\american fetish horse catfight (Karin).rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\trambling hidden (Tatjana).zip.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\african fucking licking (Tatjana).zip.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\japanese beastiality gay hidden cock stockings (Curtney).zip.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\indian handjob horse public feet (Christine,Karin).avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\xxx masturbation beautyfull .rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\japanese handjob gay sleeping bedroom .mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\horse voyeur .avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\indian porn hardcore [bangbus] feet fishy (Jade).mpg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\asian xxx masturbation feet .rar.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\malaysia lesbian masturbation feet swallow (Curtney).mpeg.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\spanish gay [bangbus] 50+ .avi.exe	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
552	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 2040	1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe	27
PID 1204 wrote to memory of 2040	1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe	27
PID 1204 wrote to memory of 2040	1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe	27
PID 1204 wrote to memory of 2040	1204	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe	27
PID 2040 wrote to memory of 552	2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe	28
PID 2040 wrote to memory of 552	2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe	28
PID 2040 wrote to memory of 552	2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe	28
PID 2040 wrote to memory of 552	2040	4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe	28

C:\Users\Admin\AppData\Local\Temp\4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
"C:\Users\Admin\AppData\Local\Temp\4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
  "C:\Users\Admin\AppData\Local\Temp\4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe
    "C:\Users\Admin\AppData\Local\Temp\4f9014416a3eab0d29a8f15c3ae8483ed80a5d8716d5d7dbd10770fa7d7965b2.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:552