f97cd64f0aed46127055a945eaffff77d7b07f152b7009c58beb0ac55b4ddcc3

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53bc0b858eb36eaa7d69ae63e3b74009.exe
Size

1.8MB
MD5

53bc0b858eb36eaa7d69ae63e3b74009
SHA1

8b1121c9f31dd71192b3864d9f8f32c9da8ef091
SHA256

f97cd64f0aed46127055a945eaffff77d7b07f152b7009c58beb0ac55b4ddcc3
SHA512

10c8822ff331a52d78ce1473cdc3912ebf9dc81ae3c73002e47b89c83d4014d7c3c7b07e38b6935ce97387f3f6534c9acdb4de32ea1cf7113f2c47e5cb429a55
SSDEEP

49152:5NWlXk2PyjJZyHSo4RWtTg/a9ZT2tAK44ostSWU:zW62PyjDWtTQaP4AOU

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	53bc0b858eb36eaa7d69ae63e3b74009.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\L:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\O:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\T:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\W:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\X:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\B:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\J:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\P:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\Q:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\S:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\E:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\G:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\H:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\I:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\K:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\N:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\U:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\V:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\M:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\R:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\Y:	53bc0b858eb36eaa7d69ae63e3b74009.exe
File opened (read-only)	\??\Z:	53bc0b858eb36eaa7d69ae63e3b74009.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\chinese handjob fetish masturbation .avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\SysWOW64\IME\shared\danish handjob hot (!) .zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\horse hidden bondage (Britney).avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\tyrkish gay hot (!) .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\SysWOW64\FxsTmp\swedish lesbian [bangbus] .avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\SysWOW64\IME\shared\british horse girls latex .rar.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\SysWOW64\config\systemprofile\norwegian lingerie lesbian ash gorgeoushorny (Karin).mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\norwegian lingerie trambling sleeping leather (Jade).mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\SysWOW64\FxsTmp\beastiality action several models lady (Christine).avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\SysWOW64\config\systemprofile\african handjob hot (!) .rar.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\chinese porn fetish hidden (Liz,Kathrin).mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Program Files (x86)\Google\Temp\action porn big nipples (Melissa,Melissa).avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\nude several models 50+ .avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\tyrkish blowjob handjob girls bondage (Sandy).mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Program Files\DVD Maker\Shared\japanese fucking nude girls vagina fishy (Kathrin,Samantha).mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Program Files\Windows Journal\Templates\black fetish lesbian [free] redhair .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\british fucking cum hidden glans .avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\italian cum [bangbus] leather .rar.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\black hardcore voyeur leather (Britney).zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Program Files\Common Files\Microsoft Shared\gay sleeping (Karin).avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\african lingerie cum hot (!) gorgeoushorny .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Program Files (x86)\Google\Update\Download\bukkake action uncut vagina 50+ .zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\african horse public .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\danish gang bang masturbation sm (Ashley,Sandy).rar.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\canadian lingerie blowjob big .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\horse [free] bondage .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\nude voyeur redhair .avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\british horse gay hot (!) glans YEâPSè& .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\canadian nude public .zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\Downloaded Program Files\spanish kicking hot (!) balls (Kathrin,Curtney).zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\american trambling handjob girls feet .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\chinese kicking fetish sleeping sm (Christine,Samantha).mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\russian lesbian action big granny (Jenna).zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\bukkake nude uncut legs .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\action cumshot lesbian swallow .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\hardcore voyeur boobs .avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\tyrkish beastiality [bangbus] cock bondage (Kathrin).avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\malaysia lingerie gay lesbian beautyfull .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\indian blowjob fetish hidden glans (Janette).mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\indian lingerie kicking masturbation .rar.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\sperm full movie sweet (Britney).avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\hardcore beastiality public (Gina).zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\italian beastiality cum several models blondie .rar.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\malaysia fetish gang bang [free] 40+ .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\german animal [bangbus] upskirt (Jade,Sonja).avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\french horse girls cock .rar.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\black bukkake blowjob lesbian black hairunshaved .zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\xxx several models .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\cum cumshot hot (!) (Sylvia).mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\beastiality uncut .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\beastiality fucking licking titts ash .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\japanese lesbian cum lesbian legs gorgeoushorny .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\Temp\cumshot girls legs bedroom (Jenna,Christine).zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\russian fetish sleeping girly .avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\blowjob nude uncut (Melissa).rar.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\american beast several models castration .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\porn xxx big ash beautyfull .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\brasilian gang bang gang bang hidden 40+ .zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\british beast lingerie masturbation (Sonja,Sonja).zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\black sperm trambling hidden .avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\xxx girls (Kathrin,Jade).rar.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\assembly\temp\british beastiality sleeping 40+ (Ashley,Sarah).avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\african horse gay hidden vagina pregnant .avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\indian gang bang [free] (Christine,Sonja).avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\SoftwareDistribution\Download\swedish gang bang voyeur (Kathrin).rar.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\french xxx [milf] glans sweet .avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\russian cumshot uncut .zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\horse public .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\japanese blowjob [milf] girly .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\gay public boobs femdom .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\malaysia hardcore full movie .zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\lesbian licking beautyfull .avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\chinese beast licking (Kathrin,Tatjana).mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\blowjob hardcore big girly .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\french bukkake uncut vagina .zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\cumshot trambling big YEâPSè& .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\sperm several models YEâPSè& .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\japanese bukkake lesbian mature .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\tyrkish xxx xxx catfight circumcision .mpg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\fetish hot (!) high heels .zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\swedish action horse big ìï .rar.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\security\templates\gang bang horse hot (!) cock .avi.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\tyrkish nude catfight boobs (Anniston,Ashley).mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\bukkake xxx big traffic .rar.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\malaysia kicking beastiality catfight 50+ .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\malaysia hardcore [free] cock .zip.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\brasilian xxx hardcore sleeping feet .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\fucking lesbian stockings .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\handjob beast licking cock .mpeg.exe	53bc0b858eb36eaa7d69ae63e3b74009.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe
836	53bc0b858eb36eaa7d69ae63e3b74009.exe
2500	53bc0b858eb36eaa7d69ae63e3b74009.exe
2140	53bc0b858eb36eaa7d69ae63e3b74009.exe
1008	53bc0b858eb36eaa7d69ae63e3b74009.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 1008	2140	53bc0b858eb36eaa7d69ae63e3b74009.exe	28
PID 2140 wrote to memory of 1008	2140	53bc0b858eb36eaa7d69ae63e3b74009.exe	28
PID 2140 wrote to memory of 1008	2140	53bc0b858eb36eaa7d69ae63e3b74009.exe	28
PID 2140 wrote to memory of 1008	2140	53bc0b858eb36eaa7d69ae63e3b74009.exe	28
PID 1008 wrote to memory of 836	1008	53bc0b858eb36eaa7d69ae63e3b74009.exe	29
PID 1008 wrote to memory of 836	1008	53bc0b858eb36eaa7d69ae63e3b74009.exe	29
PID 1008 wrote to memory of 836	1008	53bc0b858eb36eaa7d69ae63e3b74009.exe	29
PID 1008 wrote to memory of 836	1008	53bc0b858eb36eaa7d69ae63e3b74009.exe	29
PID 2140 wrote to memory of 2500	2140	53bc0b858eb36eaa7d69ae63e3b74009.exe	30
PID 2140 wrote to memory of 2500	2140	53bc0b858eb36eaa7d69ae63e3b74009.exe	30
PID 2140 wrote to memory of 2500	2140	53bc0b858eb36eaa7d69ae63e3b74009.exe	30
PID 2140 wrote to memory of 2500	2140	53bc0b858eb36eaa7d69ae63e3b74009.exe	30

C:\Users\Admin\AppData\Local\Temp\53bc0b858eb36eaa7d69ae63e3b74009.exe
"C:\Users\Admin\AppData\Local\Temp\53bc0b858eb36eaa7d69ae63e3b74009.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\53bc0b858eb36eaa7d69ae63e3b74009.exe
  "C:\Users\Admin\AppData\Local\Temp\53bc0b858eb36eaa7d69ae63e3b74009.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\53bc0b858eb36eaa7d69ae63e3b74009.exe
    "C:\Users\Admin\AppData\Local\Temp\53bc0b858eb36eaa7d69ae63e3b74009.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:836
- C:\Users\Admin\AppData\Local\Temp\53bc0b858eb36eaa7d69ae63e3b74009.exe
  "C:\Users\Admin\AppData\Local\Temp\53bc0b858eb36eaa7d69ae63e3b74009.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\african lingerie cum hot (!) gorgeoushorny .mpg.exe

Filesize
1.7MB

MD5
dd4513e40021bd60e5cd03f24b23555e

SHA1
d2741daccbea75a50aece48143dbd7890d031e6d

SHA256
f32ac00a33d3cc24d3281e907c7022ce16c571e687dec80a213fde0d95786338

SHA512
a9e52bb50de3dce281baf96e79ce5f1945e2de19ba93346837e8ba17553c8dc2ac24b9190e3cad855800d6f24fbd74dcf93cf4b4949903dee0a80d821a4d8480

Download Submit