bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 02:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
Size

1.5MB
MD5

db34d06bdc792af8e61257f1b9c82f91
SHA1

5ec91f5872eaa0d1b74e35a94bdbb591d6b16a76
SHA256

bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13
SHA512

be8c6af21ca77a0ead29b12aabdc8c52654b836dd0cb29711929ea683227d717986f26c4cae5417d15616ccde2943c8b65154ef6b42302c8c5cf0539964fc356
SSDEEP

24576:sWB3bTyvH7kCyvpZVyGvXOWG8gUmXKBADpbYluVsE3mMn8qKnFMp8G:BfhvfG8gUmXw4pbxnP8VFg/

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000001601c-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\V:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\O:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\Q:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\T:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\W:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\Z:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\H:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\M:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\P:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\S:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\Y:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\B:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\K:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\G:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\I:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\J:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\L:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\N:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\U:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\A:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\E:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File opened (read-only)	\??\X:	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\brasilian horse handjob full movie ash (Karin,Curtney).mpeg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish fucking action catfight legs .zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\SysWOW64\IME\shared\blowjob [free] ejaculation (Jenna,Christine).zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\asian porn girls 50+ .zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian action girls titts ash .zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\System32\DriverStore\Temp\malaysia cum sperm uncut high heels .avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\SysWOW64\FxsTmp\brasilian horse xxx full movie .mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\SysWOW64\IME\shared\animal lesbian young .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\SysWOW64\FxsTmp\bukkake fetish masturbation .mpeg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\SysWOW64\config\systemprofile\animal masturbation vagina .mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\fucking licking (Melissa,Sarah).mpeg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Program Files (x86)\Google\Temp\african fetish action public .zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Program Files (x86)\Google\Update\Download\trambling big boobs 50+ .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\british lesbian full movie mistress .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\gang bang lingerie public .avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\cum kicking [free] nipples sweet (Liz).rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\xxx hot (!) ash penetration (Britney,Liz).mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\indian porn girls wifey (Jade).zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Program Files\Common Files\Microsoft Shared\spanish blowjob catfight .avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Program Files\Windows Journal\Templates\tyrkish action cumshot girls balls .mpeg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\cumshot [bangbus] leather .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\blowjob licking shoes .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\kicking [bangbus] ash (Jenna,Anniston).mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\norwegian fucking lesbian feet .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\cum masturbation titts shoes (Sandy).avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\beast voyeur nipples .mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\norwegian bukkake lesbian glans 40+ .mpeg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\fetish fetish big bondage .mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\tyrkish horse fucking licking titts granny (Karin).avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\security\templates\swedish horse full movie balls (Gina,Britney).zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\xxx catfight fishy .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\sperm masturbation ìï .zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\french beastiality hot (!) .mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\cum [bangbus] hole latex .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\PLA\Templates\hardcore action voyeur cock stockings (Sandy).rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\nude gay licking penetration (Tatjana).mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\chinese hardcore public glans .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\italian lingerie lesbian voyeur granny (Melissa).rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\norwegian trambling xxx catfight upskirt .mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\german nude hidden .avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\mssrv.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\fetish blowjob girls vagina stockings .zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\animal porn hidden .avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\kicking full movie 50+ .mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\chinese fucking full movie titts (Sarah).mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\brasilian blowjob beast masturbation hole mature .avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\brasilian lesbian gay [bangbus] ash .zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\french lingerie full movie .avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\japanese bukkake animal several models titts YEâPSè& .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\swedish xxx trambling girls .avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\cumshot [free] .avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\indian blowjob fetish public redhair .zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\sperm cumshot [milf] girly .avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\brasilian handjob [free] .mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\action girls redhair (Britney,Melissa).zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\cum girls boobs shoes .mpeg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\canadian trambling nude voyeur legs young .zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\assembly\tmp\malaysia kicking kicking masturbation .avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\gang bang gay [free] hole ìï .mpeg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\cumshot full movie glans .zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\danish bukkake trambling catfight boots (Sylvia).mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\InstallTemp\black cum trambling catfight boobs lady .avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\horse hardcore licking hole .mpeg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\fucking horse voyeur boobs (Christine).mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\german porn sperm several models .zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\hardcore catfight .zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\porn licking hole castration .mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\british porn catfight (Karin,Sonja).rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\japanese lesbian licking .zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\Temp\spanish fucking hot (!) swallow .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\african fetish [free] nipples 40+ .mpeg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\swedish sperm big redhair (Sylvia).avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\asian gang bang full movie .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\japanese beast action [milf] black hairunshaved (Melissa).mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\italian beast gang bang girls .avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\brasilian fucking [free] bedroom .avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\porn porn [milf] shower .mpeg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\tyrkish animal hot (!) young .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\nude gay voyeur blondie .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\black animal horse hot (!) glans .zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\lesbian girls sweet (Karin).avi.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\swedish xxx catfight vagina blondie .mpeg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\norwegian horse horse uncut ash bondage .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\action [free] blondie .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\cumshot porn hidden ìï .rar.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\asian horse catfight beautyfull (Gina,Gina).zip.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\porn [milf] legs .mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\gang bang public legs circumcision .mpg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\tyrkish beast animal sleeping vagina (Christine,Ashley).mpeg.exe	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1568	2224	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
2456	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 3000	2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe	28
PID 2224 wrote to memory of 3000	2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe	28
PID 2224 wrote to memory of 3000	2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe	28
PID 2224 wrote to memory of 3000	2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe	28
PID 3000 wrote to memory of 2456	3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe	29
PID 3000 wrote to memory of 2456	3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe	29
PID 3000 wrote to memory of 2456	3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe	29
PID 3000 wrote to memory of 2456	3000	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe	29
PID 2224 wrote to memory of 1568	2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe	32
PID 2224 wrote to memory of 1568	2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe	32
PID 2224 wrote to memory of 1568	2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe	32
PID 2224 wrote to memory of 1568	2224	bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe	32

C:\Users\Admin\AppData\Local\Temp\bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
"C:\Users\Admin\AppData\Local\Temp\bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
  "C:\Users\Admin\AppData\Local\Temp\bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Users\Admin\AppData\Local\Temp\bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe
    "C:\Users\Admin\AppData\Local\Temp\bb30c47fc542a81ecb70117f791dcf7a7550c19627da2ebe7c1f5641644d8f13.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 356
  2⤵
  - Program crash
  PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\gang bang lingerie public .avi.exe

Filesize
804KB

MD5
651dc704e16b2f1706110f77f1cdd725

SHA1
24a2a53834e34901f654e7444a445e73cc18e2fc

SHA256
3c0a79fb2c5adcc9693223fa9c9a2187a3d213923373e3e8990cb72fc62d48ff

SHA512
fb1ea83e767605fa21e0b86f9f4dba9a6ca65165a210c3213174ebd538d5ffbed565aacd3dd6db92f07d7b5811b341407b6126aad5d4f87c7eeab92a09d9b65b

Download Submit
C:\debug.txt

Filesize
183B

MD5
87211daf87364cde2869acee4fd1ebfe

SHA1
ef5faf7a9ce04c14892995ebf692d958149855ed

SHA256
712fbd87158b2162cb368178b4acd9e5d85bef3fffc9d53f7dc3e6c48916f022

SHA512
c9d84ba3e0b3bb2ff642fb67c978d726edb96769cc130af19e47a16fb8b4b7555d18ed788af225d1e4ddc880d71c3eb087b619ab43d623132fecfc4ef893c47e

Download Submit