fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
Size

385KB
MD5

92e97bf368f15483222bdd7368453919
SHA1

49f72d94ac1560e4ca0a62b9530eea14d0e4b255
SHA256

fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a
SHA512

bbedb8dd72f0bfbe8438d981db985ca5dd05d428729bb7e7618622c6fc04b1fcbe48166fac32ef2d1b57e713e0270cb8415199dc3df060cf3c3ce8528f64233c
SSDEEP

12288:JXCNi9BzaDvY+YC/WVF8C26hWA5NMLUIrX:sWzaTYC/TC2AP0X

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000014207-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\W:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\H:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\K:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\L:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\M:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\O:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\Q:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\A:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\I:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\P:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\V:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\X:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\Y:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\B:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\R:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\Z:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\E:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\G:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\J:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\N:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\T:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File opened (read-only)	\??\U:	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\asian action bukkake girls legs redhair .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\SysWOW64\IME\shared\american fetish fucking [milf] feet bedroom .mpg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\SysWOW64\config\systemprofile\animal horse catfight .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\SysWOW64\FxsTmp\russian horse beastiality [bangbus] .mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\SysWOW64\IME\shared\xxx beastiality [free] shower .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\SysWOW64\config\systemprofile\french hardcore horse hidden beautyfull .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\SysWOW64\FxsTmp\french cumshot masturbation 40+ (Curtney,Britney).rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\malaysia animal handjob hot (!) cock .mpg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\xxx licking .mpg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\brasilian horse hot (!) .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Download\african action uncut vagina hairy (Kathrin).rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\french nude animal uncut (Christine,Kathrin).avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\canadian bukkake sleeping nipples gorgeoushorny (Sonja,Sarah).zip.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\fetish beast hot (!) legs bedroom .mpg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\hardcore fucking licking lady (Melissa,Sonja).rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Program Files (x86)\Google\Temp\beastiality big .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\gang bang lesbian [bangbus] boobs girly (Curtney,Jenna).zip.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Program Files\Common Files\Microsoft Shared\british cumshot beastiality public .mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Program Files\DVD Maker\Shared\horse animal hot (!) 40+ .zip.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Program Files\Windows Journal\Templates\beast action catfight .mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\russian hardcore kicking hot (!) (Christine).zip.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\italian cumshot beastiality full movie .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\cumshot [milf] hotel .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\japanese cum gay masturbation .zip.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\kicking lingerie uncut sm .zip.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\american horse [milf] ash beautyfull .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\russian action gang bang lesbian pregnant .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\african cum animal public feet latex (Liz).mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\indian bukkake nude lesbian hole (Melissa,Christine).rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\spanish gay licking glans fishy (Sarah,Sandy).mpg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\SoftwareDistribution\Download\african cumshot hidden .mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\black blowjob beastiality catfight hotel (Ashley).rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\norwegian action cumshot hot (!) shoes .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\russian nude beastiality lesbian .mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\bukkake full movie .mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\indian handjob [free] (Karin).avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\french trambling action public .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\gang bang [milf] traffic .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\assembly\tmp\chinese lingerie public (Sonja).avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\malaysia cum [bangbus] nipples swallow (Liz,Tatjana).zip.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\blowjob several models latex .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\horse horse lesbian latex .mpg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\chinese cumshot licking ash sm .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\canadian bukkake lingerie lesbian high heels .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\fucking hardcore lesbian .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\swedish cumshot public .zip.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\fucking sleeping redhair .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\horse catfight .mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\mssrv.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\african bukkake handjob big glans leather .mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\british beast beastiality full movie stockings .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\beastiality cumshot masturbation (Curtney).rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\porn fucking masturbation .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\black horse uncut feet .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\brasilian sperm masturbation boobs gorgeoushorny (Anniston).mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\Temp\spanish gang bang [free] ash YEâPSè& .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\action handjob licking .mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\danish fucking sleeping boots .zip.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\chinese fucking horse public YEâPSè& .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\japanese sperm full movie .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\french xxx sperm several models black hairunshaved .zip.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\beastiality animal hot (!) boobs (Liz,Sarah).rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\french horse kicking girls titts .mpg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\fucking masturbation high heels .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\PLA\Templates\fucking public lady .mpg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\norwegian action public feet .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\canadian gay uncut nipples latex (Jenna,Sonja).mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\Downloaded Program Files\british nude beastiality full movie .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\horse horse big penetration .mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\canadian handjob gay sleeping upskirt (Janette,Anniston).rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\action sleeping pregnant .mpg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\cum horse hidden titts .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\lesbian girls .zip.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\african beast fetish lesbian cock fishy (Liz).mpg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\nude fucking hot (!) boobs gorgeoushorny .zip.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\sperm horse sleeping titts beautyfull .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\fucking big mature .mpg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\danish beastiality gang bang lesbian feet .zip.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\nude [milf] traffic (Samantha).avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\russian beastiality catfight .mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\asian beast lingerie girls .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\norwegian fucking sperm girls .zip.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\animal lesbian big glans ìï (Melissa,Curtney).avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\swedish blowjob kicking masturbation YEâPSè& (Kathrin).mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\sperm lesbian sm .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\indian animal girls penetration .avi.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\fetish lesbian public .rar.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\african cumshot handjob public legs swallow .mpg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\american horse uncut legs .mpeg.exe	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2736	2100	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2100	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2100	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2100	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2100	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2100	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2100	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
2624	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2428	2100	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe	28
PID 2100 wrote to memory of 2428	2100	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe	28
PID 2100 wrote to memory of 2428	2100	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe	28
PID 2100 wrote to memory of 2428	2100	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe	28
PID 2428 wrote to memory of 2624	2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe	29
PID 2428 wrote to memory of 2624	2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe	29
PID 2428 wrote to memory of 2624	2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe	29
PID 2428 wrote to memory of 2624	2428	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe	29
PID 2100 wrote to memory of 2736	2100	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe	30
PID 2100 wrote to memory of 2736	2100	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe	30
PID 2100 wrote to memory of 2736	2100	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe	30
PID 2100 wrote to memory of 2736	2100	fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe	30

C:\Users\Admin\AppData\Local\Temp\fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
"C:\Users\Admin\AppData\Local\Temp\fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
  "C:\Users\Admin\AppData\Local\Temp\fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe
    "C:\Users\Admin\AppData\Local\Temp\fd81817d9f287847756f1e293aca9f83cf769052058845629d7ab511d440025a.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 608
  2⤵
  - Program crash
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\cumshot [milf] hotel .rar.exe

Filesize
1.9MB

MD5
126af26f955f89d8d117a0aa674b4653

SHA1
b568a164c2dbed611cdec9068715f201a0a47d6f

SHA256
790a7d32c6ebf70d0943b678ec94e85359e2989bfcc17b7a4aacc338eff720c2

SHA512
ebbe58a7e9f20635b0ffd57b799caf745ae547dfb80884f0cfab56c164132e15eb3ab339d9726d51f2e193f8787a6744757856937406039bcfcca655e9304d3f

Download Submit