e21563481d54b34c90da18a4ad068c98cbb1e5f5b42e3e1e58ff67327febb22e

Analysis

max time kernel
147s
max time network
151s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07e81fbf3a228352d4bf586411e3deed.exe
Size

1.4MB
MD5

07e81fbf3a228352d4bf586411e3deed
SHA1

b0190b56986485076e12fef9e919e4829ac04b97
SHA256

e21563481d54b34c90da18a4ad068c98cbb1e5f5b42e3e1e58ff67327febb22e
SHA512

196155b5f7de600d656626b8c02ef447dd1d7e6c35257f418e2c8277f8bac0cf1a899ace5a03395e47ae7d65d34652aa191d1e89fb4ecebdc0558de3cefaf228
SSDEEP

24576:bHNlDOAt37OotrklrFnEXUAYOJJBTNuMAmkQ+tt4NLVBpXW71I4WtQFQOVab7cx:jNwAtJto5REEsJJBTYMAmkeBxtQFQCaq

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1524-0-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x0013000000013721-5.dat	upx
behavioral1/memory/2680-23-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2680-58-0x00000000047E0000-0x0000000004809000-memory.dmp	upx
behavioral1/memory/2456-59-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	07e81fbf3a228352d4bf586411e3deed.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\L:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\U:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\Z:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\B:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\G:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\N:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\P:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\T:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\X:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\Y:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\E:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\K:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\Q:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\V:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\J:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\O:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\M:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\R:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\S:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\W:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\A:	07e81fbf3a228352d4bf586411e3deed.exe
File opened (read-only)	\??\I:	07e81fbf3a228352d4bf586411e3deed.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\horse full movie blondie .mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\japanese porn lesbian several models feet fishy (Tatjana).avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\System32\DriverStore\Temp\brasilian kicking beast hidden cock femdom .avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\SysWOW64\FxsTmp\norwegian hardcore big titts swallow .avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\SysWOW64\IME\shared\brasilian nude sperm lesbian leather .mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\italian animal blowjob [free] fishy .rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\SysWOW64\config\systemprofile\xxx public glans blondie (Karin).mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\danish porn beast catfight cock (Britney,Sylvia).rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\SysWOW64\FxsTmp\indian animal bukkake licking titts bedroom .mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\SysWOW64\IME\shared\russian action fucking [bangbus] girly .rar.exe	07e81fbf3a228352d4bf586411e3deed.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\trambling several models .mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Program Files\Common Files\Microsoft Shared\danish animal beast big high heels .mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Program Files\Windows Journal\Templates\black beastiality trambling [bangbus] swallow .zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\brasilian cumshot xxx public femdom .avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\tyrkish kicking sperm sleeping feet hairy (Karin).zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\sperm uncut .mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\xxx big glans (Britney,Karin).rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Program Files\DVD Maker\Shared\lingerie uncut swallow (Britney,Curtney).avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian gang bang gay voyeur glans .mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Program Files (x86)\Google\Update\Download\blowjob hidden young .zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\xxx hot (!) hole fishy .mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\sperm [free] .rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\black fetish gay hidden (Sarah).mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\danish porn trambling voyeur (Samantha).mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\tyrkish cumshot lesbian big (Jade).mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\hardcore hot (!) feet (Sonja,Melissa).avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\indian kicking fucking hot (!) blondie .avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\fucking [bangbus] glans mistress .zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\norwegian hardcore public titts .zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\danish handjob blowjob [bangbus] (Sarah).rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\hardcore [free] ìï .mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\asian lingerie public cock upskirt .zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\action fucking [free] upskirt .avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\beastiality bukkake public black hairunshaved .mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\american kicking blowjob masturbation gorgeoushorny .mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\canadian trambling masturbation hole pregnant (Sylvia).avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\beast full movie granny (Sonja,Karin).zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\InstallTemp\gang bang horse [free] stockings .rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\asian xxx lesbian titts .rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\kicking xxx sleeping .avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\japanese cum xxx sleeping feet gorgeoushorny .mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\lesbian several models black hairunshaved .avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\swedish cumshot hardcore big titts .mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\tyrkish fetish hardcore girls swallow (Kathrin,Tatjana).rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\indian gang bang trambling catfight .mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\american animal blowjob sleeping boots (Britney,Karin).mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\french sperm [milf] 50+ (Ashley,Tatjana).mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\xxx public hole beautyfull .rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\assembly\temp\danish fetish gay sleeping YEâPSè& (Anniston,Sylvia).avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\horse [milf] glans black hairunshaved .mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\french gay [milf] mature .avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\american cum xxx licking .avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\action lesbian voyeur gorgeoushorny .zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\lingerie public (Sarah).mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\nude bukkake licking ash .zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\trambling [free] glans swallow .mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\american nude lingerie hot (!) feet young (Melissa).avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\security\templates\lingerie voyeur sm (Kathrin,Liz).mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\indian kicking gay licking titts leather .rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\handjob fucking licking glans .zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\fetish horse uncut (Curtney).mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\indian animal xxx big feet leather .avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\bukkake catfight cock blondie .zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\danish fetish gay [bangbus] 40+ .mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\brasilian horse sperm public ejaculation .avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\asian beast hidden (Karin).rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\hardcore catfight (Melissa).mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\malaysia xxx licking .rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\canadian horse licking upskirt .zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\canadian gay several models high heels (Christine,Janette).mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\assembly\tmp\german hardcore uncut feet high heels (Samantha).zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\black horse blowjob [free] bedroom (Sonja,Liz).rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\canadian horse licking (Curtney).avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\action lingerie full movie glans granny .mpg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\cum hardcore voyeur glans (Jenna,Curtney).mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\swedish cumshot bukkake lesbian (Jade).avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\Downloaded Program Files\swedish animal beast masturbation cock .avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\kicking xxx catfight hole sweet (Jade).rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\british gay masturbation ejaculation .mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\horse blowjob big latex .rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\asian beast masturbation glans .zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\lingerie lesbian shower .zip.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\sperm full movie feet balls .rar.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\italian handjob trambling lesbian black hairunshaved .avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\tyrkish cum beast girls cock swallow (Melissa).mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\kicking horse full movie sweet (Anniston,Sarah).avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\american cum sperm catfight titts (Ashley,Melissa).avi.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\indian fetish hardcore licking .mpeg.exe	07e81fbf3a228352d4bf586411e3deed.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\indian porn xxx uncut granny .avi.exe	07e81fbf3a228352d4bf586411e3deed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1524	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe
2456	07e81fbf3a228352d4bf586411e3deed.exe
2680	07e81fbf3a228352d4bf586411e3deed.exe
1524	07e81fbf3a228352d4bf586411e3deed.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 2680	1524	07e81fbf3a228352d4bf586411e3deed.exe	28
PID 1524 wrote to memory of 2680	1524	07e81fbf3a228352d4bf586411e3deed.exe	28
PID 1524 wrote to memory of 2680	1524	07e81fbf3a228352d4bf586411e3deed.exe	28
PID 1524 wrote to memory of 2680	1524	07e81fbf3a228352d4bf586411e3deed.exe	28
PID 2680 wrote to memory of 2456	2680	07e81fbf3a228352d4bf586411e3deed.exe	29
PID 2680 wrote to memory of 2456	2680	07e81fbf3a228352d4bf586411e3deed.exe	29
PID 2680 wrote to memory of 2456	2680	07e81fbf3a228352d4bf586411e3deed.exe	29
PID 2680 wrote to memory of 2456	2680	07e81fbf3a228352d4bf586411e3deed.exe	29

C:\Users\Admin\AppData\Local\Temp\07e81fbf3a228352d4bf586411e3deed.exe
"C:\Users\Admin\AppData\Local\Temp\07e81fbf3a228352d4bf586411e3deed.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\07e81fbf3a228352d4bf586411e3deed.exe
  "C:\Users\Admin\AppData\Local\Temp\07e81fbf3a228352d4bf586411e3deed.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\07e81fbf3a228352d4bf586411e3deed.exe
    "C:\Users\Admin\AppData\Local\Temp\07e81fbf3a228352d4bf586411e3deed.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian gang bang gay voyeur glans .mpeg.exe

Filesize
1.2MB

MD5
3540d169c6dfce42ddd9d2ab5f66bf47

SHA1
9133f4434b2a3be74d07b5f41e6814e5e458fca5

SHA256
b3037dfff38f71018502ec92f6e2045d7658d4a0fa1e79476990f5572031ae17

SHA512
4a9d711414cb8271cf7e3bdbe6d2d97b12a8bfba96ccf6431e23a12a4690f66bd7505bdfdcf9c01c85daf4644efe5c5132ba51b07c9abdd2dc0cea272f288004

Download Submit
C:\debug.txt

Filesize
183B

MD5
05fca08208ae0a4d0745822ca36e6f5a

SHA1
089fe369611f6af495b6b372ef9c3f78d2273cb2

SHA256
ccd1e40261a2f4b1e5178d25810c7dc2ec2ce0e9f0af6946d2b12f474a04f574

SHA512
a5fc84bcd15a76ccce8ada687cc636f2a83693c4f768f2e09ce8f10546e91b560cd084f967acd9ffd64160e9b678941721364c5f9ea39a5cfe34885dc557930b

Download Submit
memory/1524-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1524-20-0x0000000004E90000-0x0000000004EB9000-memory.dmp

Filesize
164KB

Download
memory/2456-59-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2680-23-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2680-58-0x00000000047E0000-0x0000000004809000-memory.dmp

Filesize
164KB

Download