ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
Size

1.6MB
MD5

3bd55a7608f85dbd9c5c264492a1c004
SHA1

5f4ad6bf16310c32bb5fd53b3e5ff77ce95e90a8
SHA256

ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307
SHA512

f674b8eaab9f574af793cd1862cd88928aab752e5cd1de80988ef5f5126c9db2383ef3fdb80de9daf2afff766ec9c9d30c88b8e13d3f1884d865e461a60029ed
SSDEEP

49152:5MkC/csR7ahLFZbMzm58hGlwcP6K/kkKCQFi6HCmNm:qF/cweFFZozW8sjCnk+Fcom

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015c7c-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\W:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\N:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\O:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\R:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\U:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\X:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\Z:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\B:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\G:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\H:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\J:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\M:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\P:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\Q:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\S:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\A:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\Y:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\V:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\I:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\K:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\L:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\E:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\russian cum lingerie masturbation upskirt .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\brasilian kicking xxx [milf] glans YEâPSè& (Tatjana).mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\System32\DriverStore\Temp\malaysia trambling catfight .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\FxsTmp\porn fucking [free] hotel .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\IME\shared\american handjob hardcore full movie hairy .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse girls .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\japanese gang bang blowjob girls titts (Christine,Janette).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\blowjob uncut hole .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\FxsTmp\swedish kicking sperm licking (Samantha).mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\IME\shared\indian cumshot xxx voyeur .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\horse lesbian hole 40+ (Janette).avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\russian cum horse sleeping cock .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files\DVD Maker\Shared\italian handjob lingerie girls .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files\Windows Journal\Templates\brasilian nude bukkake catfight .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Google\Temp\trambling public glans .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\horse masturbation glans .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\tyrkish beastiality gay licking lady .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files\Common Files\Microsoft Shared\brasilian gang bang beast licking granny .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\danish porn gay hidden .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\russian horse lingerie [free] feet .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\beast hidden hole lady (Samantha).mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\japanese action hardcore several models castration (Sonja,Karin).avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\japanese cumshot hardcore girls leather .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\danish nude sperm lesbian (Jade).rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Google\Update\Download\indian kicking blowjob big 40+ .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\swedish horse bukkake sleeping .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\gay masturbation titts .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\tyrkish action beast hidden .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\swedish porn horse girls .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\beastiality lingerie big (Sylvia).rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\fetish sperm hot (!) feet hotel .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\handjob horse big .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\swedish animal hardcore uncut bondage .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\danish horse fucking sleeping .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\fetish gay [free] titts latex (Janette).avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\african bukkake licking high heels .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\beast [milf] glans leather .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\mssrv.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\trambling lesbian .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\malaysia sperm [bangbus] hole mature (Janette).avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\beastiality xxx uncut feet (Christine,Curtney).mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\horse hardcore [free] cock boots .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\porn trambling hidden .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\lingerie lesbian upskirt .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\sperm hidden 50+ .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\lesbian public hole .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish beastiality lesbian hidden traffic .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\horse public titts .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\spanish sperm catfight hole balls (Sarah).rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\italian nude horse full movie .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\Temp\italian beastiality sperm masturbation young .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\animal lingerie [bangbus] balls .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\chinese sperm big cock .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\swedish kicking gay girls cock swallow .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\chinese beast big hairy (Gina,Janette).rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish porn beast uncut YEâPSè& .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\german sperm sleeping cock ejaculation .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\kicking fucking [bangbus] feet bondage (Karin).avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\trambling masturbation hole gorgeoushorny (Janette).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\norwegian bukkake catfight feet (Jenna,Tatjana).avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\InstallTemp\blowjob [bangbus] girly .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\sperm several models (Janette).avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\canadian lesbian hidden latex .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\kicking bukkake hidden hole .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\beastiality bukkake girls .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\indian action xxx catfight .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\british bukkake full movie feet fishy .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\italian horse xxx hot (!) glans bondage .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\danish horse beast masturbation 40+ .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\animal hardcore hot (!) hole blondie (Liz).mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\assembly\temp\american handjob sperm masturbation glans .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\chinese xxx several models .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\trambling licking traffic (Sandy,Karin).mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\blowjob hidden glans penetration .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\fetish fucking big YEâPSè& .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\sperm sleeping feet traffic .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\british trambling public young .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\nude beast licking cock ash .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\tyrkish animal horse big traffic .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\gay several models granny .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\kicking blowjob public feet latex (Melissa).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\beast girls cock .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\indian gang bang horse [milf] blondie .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\beast [bangbus] glans shower .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\canadian trambling public feet .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\canadian lingerie public .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\brasilian kicking lesbian masturbation wifey (Britney,Sarah).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\assembly\tmp\tyrkish porn fucking hidden glans sm .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\animal bukkake lesbian titts (Christine,Janette).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2388	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
2444	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2104	2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	28
PID 2232 wrote to memory of 2104	2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	28
PID 2232 wrote to memory of 2104	2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	28
PID 2232 wrote to memory of 2104	2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	28
PID 2232 wrote to memory of 2388	2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	29
PID 2232 wrote to memory of 2388	2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	29
PID 2232 wrote to memory of 2388	2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	29
PID 2232 wrote to memory of 2388	2232	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	29
PID 2104 wrote to memory of 2444	2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	30
PID 2104 wrote to memory of 2444	2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	30
PID 2104 wrote to memory of 2444	2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	30
PID 2104 wrote to memory of 2444	2104	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	30

C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
"C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
  "C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
    "C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2444
- C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
  "C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\danish porn gay hidden .avi.exe

Filesize
1.4MB

MD5
65821c87cdd8d9842cfcaabb718fc679

SHA1
c4c2badb3be0ea56ba6221f765691608e1628a87

SHA256
3bda7d67634cb0b91c61e62d764ff09f5713a8d9aebef009e799a8258b6b0ec6

SHA512
7c754fb2f707f91aca9b83adce4b3bbb736bfbafe23f04f1d3a5ad946c878ba4a449ba617a1e8bc12b895874ba6f3f898262fd3c58dca01a03c8db348e2477d1

Download Submit
C:\debug.txt

Filesize
183B

MD5
e326ed4f8ec801b850d39eb561321a4a

SHA1
64d3bcbf34e47e4f077b2ca6c9f3e0038b1c26c3

SHA256
a7ad3db5e702cadf01a70533cbdee245da9ff1613a21827684b01dfdf3392cfb

SHA512
9c73b3c0b516228787b7a608618e753bdaeb6c4a8032d56c52490e502c8fa1604e2876806607600ec26773f567a29df1048e6c9f571eb102cb38a2137c75b9d3

Download Submit