9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-04-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
Size

354KB
MD5

3b4779dbc67506f394af7bc270b47f41
SHA1

98906d8afaf117fb4210447b9991a2f1def343af
SHA256

9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702
SHA512

da9d61f0a5dcf8bbc3a3b2fb2d332b9fce5ab677be7e81167b2bed9501c741419d95a3714c1be244a4c7d5e03e50218b65cc9680fc6849769d9c234541c57ddf
SSDEEP

6144:oGHGRpO9p1om9+xs3NBBlsVmXqKM6m1kJS8QRhh24ojXG5RZnfA5MdcdlDT2tMdf:oGHasii9BlXqT6m9RhhrorKn4m6lDwvW

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d61-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\M:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\R:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\T:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\V:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\Y:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\A:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\O:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\P:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\U:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\W:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\H:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\L:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\Q:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\X:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\N:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\S:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\Z:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\E:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\G:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\I:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\J:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File opened (read-only)	\??\K:	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\italian bukkake handjob masturbation (Janette,Britney).zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\SysWOW64\IME\shared\nude masturbation castration (Christine).mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\french fucking [free] mistress .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\canadian gang bang girls glans .rar.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\SysWOW64\FxsTmp\russian beastiality [free] (Sarah,Sonja).mpeg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\SysWOW64\IME\shared\tyrkish gang bang action catfight .rar.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\german hardcore cum big hairy .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\SysWOW64\FxsTmp\porn hidden castration .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\SysWOW64\config\systemprofile\lesbian gay hidden high heels .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\SysWOW64\config\systemprofile\bukkake lingerie sleeping penetration .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\gay gay licking .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\trambling kicking uncut penetration .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Program Files\DVD Maker\Shared\gang bang porn big shoes (Liz).avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\brasilian porn licking legs wifey .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Program Files (x86)\Google\Temp\cumshot handjob hidden 50+ .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Program Files\Common Files\Microsoft Shared\african blowjob cum hot (!) hotel .mpeg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\norwegian porn full movie (Curtney).rar.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\cumshot catfight .mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\bukkake several models upskirt .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\fetish [milf] ash (Sonja).mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Program Files (x86)\Google\Update\Download\cum [milf] redhair .rar.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\gay horse voyeur .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\porn action full movie hole .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\blowjob lesbian titts (Ashley,Ashley).rar.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Program Files\Windows Journal\Templates\russian porn [free] boots .rar.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\tyrkish cum sperm lesbian stockings .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\spanish trambling full movie swallow .mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\russian fucking horse [free] glans .rar.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\norwegian cumshot cum girls castration .mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\tyrkish fucking lesbian [free] vagina gorgeoushorny .mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\sperm masturbation ash ash .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\italian nude catfight vagina (Ashley).avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\beastiality hot (!) nipples (Samantha).zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\chinese animal beast [bangbus] black hairunshaved .mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\PLA\Templates\chinese fucking big .mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\lingerie porn big boobs (Sandy,Curtney).zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\Temp\brasilian trambling catfight blondie .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\french cum [milf] .mpeg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\malaysia gang bang gang bang [milf] shoes .rar.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\fucking lesbian vagina .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\indian trambling gay hot (!) hole castration .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\animal horse uncut ash .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\italian nude lesbian 40+ (Jade,Anniston).zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\trambling masturbation redhair .mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\assembly\temp\spanish action masturbation ìï (Anniston).mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\trambling uncut bondage .mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\african fetish big feet .mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\canadian xxx gang bang full movie traffic (Sandy).avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\handjob lingerie voyeur feet .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\norwegian trambling gang bang hidden (Sylvia).rar.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\italian gang bang uncut .mpeg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\action fucking lesbian ejaculation .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\american handjob voyeur vagina (Sonja,Ashley).mpeg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\american blowjob animal licking lady .rar.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\lingerie [bangbus] black hairunshaved .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\african lingerie kicking [bangbus] glans stockings .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\norwegian beastiality sleeping (Britney).zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\trambling hidden shower .mpeg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\chinese bukkake trambling girls girly .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\sperm lesbian (Karin).mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\beastiality sleeping .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\porn full movie upskirt .mpeg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\german animal bukkake big feet mistress .mpeg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\animal catfight boobs .rar.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\hardcore kicking [bangbus] (Sarah,Britney).mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\canadian nude cumshot licking nipples .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\italian gang bang voyeur .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\beast full movie nipples black hairunshaved .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\japanese bukkake animal voyeur cock (Ashley).avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\InstallTemp\gang bang lesbian [milf] (Jenna,Tatjana).avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\beast animal girls black hairunshaved (Anniston).avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\gang bang voyeur bondage (Kathrin).mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\danish horse hidden .mpeg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\danish beastiality nude girls .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\hardcore hidden .mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\indian fucking [free] traffic .rar.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\brasilian xxx beastiality uncut feet high heels .mpeg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\african lesbian full movie hole pregnant .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\fetish animal masturbation pregnant .mpeg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\xxx masturbation boobs .avi.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\african nude horse masturbation ash pregnant (Anniston,Christine).mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\tyrkish beast hot (!) shower (Sonja).mpeg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\danish bukkake beast public balls .rar.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\indian handjob uncut .rar.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\mssrv.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\xxx hidden lady .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\japanese fetish [free] vagina wifey (Karin).zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\nude cumshot masturbation ash .zip.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\brasilian trambling nude big .mpg.exe	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
2424	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2516	2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe	28
PID 2200 wrote to memory of 2516	2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe	28
PID 2200 wrote to memory of 2516	2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe	28
PID 2200 wrote to memory of 2516	2200	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe	28
PID 2516 wrote to memory of 2424	2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe	29
PID 2516 wrote to memory of 2424	2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe	29
PID 2516 wrote to memory of 2424	2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe	29
PID 2516 wrote to memory of 2424	2516	9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe	29

C:\Users\Admin\AppData\Local\Temp\9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
"C:\Users\Admin\AppData\Local\Temp\9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
  "C:\Users\Admin\AppData\Local\Temp\9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe
    "C:\Users\Admin\AppData\Local\Temp\9a02983210e7a7dcabb6f6b49b5867559ec9e0b5d2cf8569c9db380bbd9e0702.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\gay gay licking .zip.exe

Filesize
695KB

MD5
8f2c1c54facb9b8709531c3fd998a09c

SHA1
44b894b90aa0e7dd3ead73523c986865fb623060

SHA256
8303f7b001a45413c9045f206db5ec013bb0bf28c9ee66311f622d0b961904bf

SHA512
b0289064a2e7589d22810c2026d7518c328cd7ca7a4fec6084818638b854e3d0d7d5edd7396098d17e2e4be38f5dfa95a1c62fd3a7041be073fac34b203d5e69

Download Submit
C:\debug.txt

Filesize
183B

MD5
bed8e8b62c11807d977e1f10a83b9dcd

SHA1
cfd544e7eed16bcbac06458e5b7ddcf4250a3d2f

SHA256
d847ce2a701241e6c7a2a64d9e5b1c216e80d6318674bc1cbb6a8c1b21a1afe0

SHA512
66ca1ed4dad0bf77c5ba2943b30e1c6465dc85369e27d8b5943243c729cef54e9d817d5fb89ab36bff8187d8a3af841452b24723ce223d93fd88cb535346b1a8

Download Submit