c6f9bf01583b17a4dbbee494ebdd901aa3b12723ebef43d5e39fbbb7936b2e23

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a03af0f09818c405bea61cc21b6581f.exe
Size

106KB
MD5

6a03af0f09818c405bea61cc21b6581f
SHA1

ef577f8861f1f126f5afd7a02ad1e033f93b6e66
SHA256

c6f9bf01583b17a4dbbee494ebdd901aa3b12723ebef43d5e39fbbb7936b2e23
SHA512

c7947facd23c6779a4f5fc824b64c8429a6a30756396d65c9d0246b4fc68ffdd86501f9d0f50d56f396b6c75ad3d07f92008b982560d0f3bd8a0373e1563cf0f
SSDEEP

3072:oGqIGRpTa9p1om9PW/pqqsFUCN3R9MI+I0ZfG:oGHGRpO9p1om9+xs3NBBSG

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	6a03af0f09818c405bea61cc21b6581f.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\L:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\M:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\O:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\W:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\X:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\I:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\H:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\J:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\Q:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\R:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\T:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\V:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\Y:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\E:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\Z:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\N:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\P:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\B:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\G:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\S:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\U:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\A:	6a03af0f09818c405bea61cc21b6581f.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\sperm masturbation fishy .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian action horse public titts high heels .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\System32\DriverStore\Temp\russian horse lingerie girls glans sm (Curtney).avi.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\SysWOW64\FxsTmp\malaysia sperm hot (!) hairy (Gina,Liz).rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\SysWOW64\IME\shared\lesbian big latex .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\black cumshot horse lesbian glans .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\SysWOW64\config\systemprofile\indian nude blowjob big hole .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian cumshot trambling licking hotel .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\SysWOW64\FxsTmp\sperm [free] lady (Sandy,Samantha).mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\SysWOW64\IME\shared\gay full movie (Sarah).mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\blowjob hot (!) titts femdom .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\gay several models glans redhair .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\horse hidden girly .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files\Common Files\Microsoft Shared\danish fetish xxx masturbation hole .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\gay voyeur hole black hairunshaved .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\black beastiality lingerie licking 50+ .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\black beastiality lesbian [bangbus] beautyfull .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\indian cumshot lingerie hidden latex .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files (x86)\Google\Temp\russian action trambling [free] hole beautyfull .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files\DVD Maker\Shared\danish gang bang trambling voyeur .avi.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files\Windows Journal\Templates\black cumshot lesbian sleeping ash .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\indian porn hardcore licking bedroom .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\hardcore full movie upskirt .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files (x86)\Google\Update\Download\black horse horse masturbation (Karin).avi.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\russian cumshot hardcore [bangbus] sweet (Jenna,Karin).avi.exe	6a03af0f09818c405bea61cc21b6581f.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\spanish lingerie masturbation 50+ .avi.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\cumshot lesbian full movie ìï .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\italian fetish fucking hot (!) .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\animal beast catfight (Samantha).mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\action trambling big wifey .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\canadian lesbian lesbian shoes (Sandy,Sarah).avi.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\gay big glans .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\hardcore hot (!) granny .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\japanese cum blowjob lesbian gorgeoushorny .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\fucking hidden feet upskirt .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\Downloaded Program Files\black action blowjob hidden upskirt .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\norwegian hardcore several models stockings .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\InstallTemp\cumshot lingerie several models traffic .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\SoftwareDistribution\Download\beast voyeur .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\indian animal lesbian [free] hole .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\hardcore voyeur leather .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\blowjob [bangbus] .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\porn sperm full movie titts traffic .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\beast public gorgeoushorny .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\russian handjob beast sleeping hole .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\gang bang bukkake [milf] titts girly .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\danish porn lesbian [bangbus] lady .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\trambling catfight titts .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\security\templates\black animal xxx licking titts sweet .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\asian lingerie [milf] fishy .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\tyrkish fetish bukkake masturbation hole redhair (Melissa).zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\african lesbian several models .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\indian animal fucking hot (!) bondage .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\american cum trambling [milf] circumcision .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\indian action hardcore masturbation hairy .avi.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\trambling [bangbus] .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\canadian bukkake sleeping feet .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\spanish sperm licking glans bedroom .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\tyrkish horse bukkake several models wifey .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\gang bang trambling several models glans .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\asian horse licking (Liz).mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\gang bang bukkake [milf] cock bedroom (Liz).rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\brasilian kicking trambling masturbation (Curtney).mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\russian handjob fucking lesbian feet femdom (Janette).zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\african lingerie hidden .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\kicking lingerie [milf] bondage .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\chinese blowjob girls (Melissa).rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\african trambling [milf] cock .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\spanish xxx catfight cock .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\danish cum blowjob [bangbus] .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\indian cumshot fucking girls feet .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\lesbian public 40+ .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\bukkake uncut titts blondie .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\assembly\tmp\swedish cumshot blowjob voyeur blondie .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\xxx [bangbus] titts .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\italian cum lingerie lesbian wifey .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\danish animal trambling voyeur cock pregnant .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\handjob blowjob sleeping glans .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\tyrkish cum xxx [milf] feet .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\american cumshot beast [bangbus] titts circumcision .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\hardcore hidden feet .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\lingerie hot (!) fishy .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\beastiality gay masturbation girly .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\lesbian uncut granny .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\indian cum hardcore girls glans beautyfull (Liz).avi.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\beast hidden .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\hardcore masturbation hole .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\handjob trambling masturbation titts .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\fucking [free] feet gorgeoushorny .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe
1100	6a03af0f09818c405bea61cc21b6581f.exe
2156	6a03af0f09818c405bea61cc21b6581f.exe
2556	6a03af0f09818c405bea61cc21b6581f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 2156	1100	6a03af0f09818c405bea61cc21b6581f.exe	28
PID 1100 wrote to memory of 2156	1100	6a03af0f09818c405bea61cc21b6581f.exe	28
PID 1100 wrote to memory of 2156	1100	6a03af0f09818c405bea61cc21b6581f.exe	28
PID 1100 wrote to memory of 2156	1100	6a03af0f09818c405bea61cc21b6581f.exe	28
PID 2156 wrote to memory of 2556	2156	6a03af0f09818c405bea61cc21b6581f.exe	29
PID 2156 wrote to memory of 2556	2156	6a03af0f09818c405bea61cc21b6581f.exe	29
PID 2156 wrote to memory of 2556	2156	6a03af0f09818c405bea61cc21b6581f.exe	29
PID 2156 wrote to memory of 2556	2156	6a03af0f09818c405bea61cc21b6581f.exe	29

C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe
"C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe
  "C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe
    "C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\gay voyeur hole black hairunshaved .rar.exe

Filesize
997KB

MD5
e8847c40b97d4f1d32efc0d5a450614e

SHA1
3285027cf9fd5cd71c9f2672701a929efde98a0c

SHA256
5354224f0e21348d2b330775fda271c14833c243371142e5b5b462039e185784

SHA512
0860d28d32958c3decee4d778d30c0a26ab6776bea8f53c4d0d6911e5c0fccba9fef6f67c5f1c0a100484e22705e1c8323879d6652031efd91429755de027761

Download Submit