ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307

Analysis

max time kernel
153s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
Size

1.6MB
MD5

3bd55a7608f85dbd9c5c264492a1c004
SHA1

5f4ad6bf16310c32bb5fd53b3e5ff77ce95e90a8
SHA256

ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307
SHA512

f674b8eaab9f574af793cd1862cd88928aab752e5cd1de80988ef5f5126c9db2383ef3fdb80de9daf2afff766ec9c9d30c88b8e13d3f1884d865e461a60029ed
SSDEEP

49152:5MkC/csR7ahLFZbMzm58hGlwcP6K/kkKCQFi6HCmNm:qF/cweFFZozW8sjCnk+Fcom

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023246-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\H:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\J:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\O:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\T:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\Y:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\K:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\L:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\M:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\N:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\U:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\W:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\X:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\A:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\B:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\G:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\I:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\P:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\Q:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\R:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\S:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\V:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File opened (read-only)	\??\Z:	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogFiles\Fax\Incoming\horse hot (!) (Sonja,Janette).avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\japanese porn fetish voyeur nipples granny .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\FxsTmp\beastiality licking .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\config\systemprofile\brasilian sperm hot (!) vagina shower .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\IME\SHARED\swedish cumshot nude girls femdom .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\norwegian cumshot uncut ejaculation .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\config\systemprofile\cumshot public ash .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\IME\SHARED\indian lesbian masturbation (Tatjana,Tatjana).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\african xxx lesbian uncut mature .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\blowjob action girls .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\System32\DriverStore\Temp\french horse horse big girly (Jade).rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SysWOW64\FxsTmp\russian horse handjob public titts lady (Sandy).mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\british bukkake lesbian leather (Sarah).mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\asian gay full movie cock .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\beastiality fucking [free] feet hotel .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Google\Temp\russian fetish blowjob hot (!) traffic (Ashley,Curtney).avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{A22979E4-D188-4AF0-A888-04FE21284B11}\EDGEMITMP_19EA3.tmp\norwegian cum hardcore sleeping vagina high heels .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files\dotnet\shared\xxx kicking masturbation feet .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\tyrkish lesbian full movie hairy .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\lingerie masturbation bedroom .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\spanish cumshot horse licking balls .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files\Microsoft Office\root\Templates\chinese cumshot cum licking glans .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\sperm licking beautyfull (Sonja,Gina).avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\lingerie lesbian mature .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Google\Update\Download\french animal cum girls .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\russian sperm bukkake public high heels (Tatjana).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\german blowjob uncut redhair .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\lingerie voyeur swallow .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\asian animal sleeping swallow (Sonja).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Microsoft\Temp\beastiality fucking [milf] legs hotel .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\malaysia animal hot (!) feet .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\mssrv.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\beast hot (!) boobs Œã .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\gay lesbian .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\japanese hardcore fetish [bangbus] mistress .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\british beastiality [free] .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\PLA\Templates\japanese blowjob lingerie sleeping .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\swedish fucking horse lesbian cock (Christine).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\beastiality fetish big nipples .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\cumshot gay big lady .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\horse bukkake masturbation .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\malaysia trambling lesbian Œã (Sonja,Kathrin).rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\handjob nude hidden .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\tyrkish handjob beastiality girls .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\lingerie beast hidden blondie .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\blowjob kicking big vagina sweet .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\cum full movie .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\nude beastiality hidden shower .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\beastiality sleeping granny .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\african porn hidden swallow .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\sperm xxx [bangbus] hole YEâPSè& .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\hardcore horse hot (!) .avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\sperm handjob uncut (Britney).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.746_none_822bf1ada1526fa8\action cum lesbian ash .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\italian lesbian [free] boobs .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\canadian fucking trambling licking cock latex (Ashley,Janette).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\assembly\tmp\gang bang [bangbus] black hairunshaved .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\american gang bang gay voyeur (Liz,Sonja).mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\security\templates\brasilian animal fetish big traffic (Liz,Sonja).mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\malaysia sperm horse full movie vagina redhair .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\canadian gay masturbation .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\trambling action [bangbus] wifey .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\malaysia horse lesbian fishy (Tatjana).mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\bukkake voyeur (Sandy,Janette).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\trambling animal catfight shoes .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\nude voyeur legs granny .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\kicking sperm hidden high heels (Christine).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\horse [free] boobs .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\cumshot beastiality licking ash (Gina).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\russian horse kicking hot (!) boobs stockings .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\spanish porn hot (!) hole black hairunshaved .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\sperm [free] (Jenna).avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\norwegian horse girls cock black hairunshaved .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\cumshot full movie redhair .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\black fetish masturbation traffic (Sarah).avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\trambling trambling big mistress .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\gang bang [bangbus] leather (Christine,Samantha).zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\chinese hardcore porn sleeping (Kathrin).mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\nude fetish lesbian boobs .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\brasilian beastiality hot (!) titts (Sonja,Sandy).mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\brasilian bukkake action girls sm .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\african trambling beastiality lesbian feet .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\horse handjob lesbian sweet (Jade,Curtney).mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\beast lesbian vagina young .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\lesbian horse licking 50+ .mpeg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\chinese gang bang blowjob hot (!) titts mature (Karin).avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\swedish beast cumshot [free] hotel (Sylvia,Anniston).mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\asian horse kicking uncut beautyfull .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\norwegian animal uncut legs circumcision .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\blowjob [free] (Jade,Melissa).avi.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\russian lingerie cum [free] glans 50+ .mpg.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\german kicking horse several models shoes .zip.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\tyrkish lingerie fetish [free] .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\cum beastiality public nipples fishy .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\chinese xxx masturbation bedroom .rar.exe	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4860	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4860	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4860	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4860	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4860	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4860	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4860	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4860	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4860	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4860	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4860	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4860	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4860	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
4860	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
720	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 1872	4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	97
PID 4580 wrote to memory of 1872	4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	97
PID 4580 wrote to memory of 1872	4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	97
PID 4580 wrote to memory of 720	4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	99
PID 4580 wrote to memory of 720	4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	99
PID 4580 wrote to memory of 720	4580	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	99
PID 1872 wrote to memory of 4860	1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	100
PID 1872 wrote to memory of 4860	1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	100
PID 1872 wrote to memory of 4860	1872	ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe	100

C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
"C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
  "C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
    "C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4860
- C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe
  "C:\Users\Admin\AppData\Local\Temp\ef7c01d34d8e01228e415dba82f65dd229cf0f599ecedf03e1b415a4a727a307.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\german blowjob uncut redhair .mpeg.exe

Filesize
1.2MB

MD5
b4dc4215b3a5d6bff922d90614b31309

SHA1
aa0ca0802ca875681fbb4972a364589015ebecab

SHA256
871f76a1f9115f8a35b49de94b14d75376ade624740ba0ea1f8a45537dc45392

SHA512
d8b72595b5e21ed9134e5bb0559aaa351c90b2f596c554e1558ad5e8d0fca078ebf2a1d1daabbb94d455f3d8bf88ad6a86e5aefc370e60e67c1dee567c2b5ad6

Download Submit