7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
Size

1.2MB
MD5

0028b0c38cbf42035073cbb529298705
SHA1

785e2773fcf807a931851a36fb31d644aea521e8
SHA256

7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211
SHA512

e6aaeacba2e122ed8669e0b6c841c7a273eb9683cf90001c2cfc933a29ed005dbe46b49a0c32b29e2471e427ce1d5a7436ea87244fee753c802e2daec43051fc
SSDEEP

12288:A//vi9BtfC2LjSpAcQnZTGulFpYjZ4u3mQpGY1v9Nuy8+LMKkH/11wh6+eOrYHZ3:2w9ZrnZTHPZuWc1tSLmrY81UcfiR755h

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023629-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\M:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\N:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\S:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\Z:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\B:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\E:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\H:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\I:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\O:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\V:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\J:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\K:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\Q:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\T:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\U:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\X:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\Y:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\G:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\L:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\P:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\R:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File opened (read-only)	\??\W:	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\italian cum trambling licking hole swallow .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\lesbian sleeping girly .rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian animal lingerie big cock YEâPSè& .mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\SysWOW64\FxsTmp\asian gay uncut bondage .mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\SysWOW64\IME\SHARED\tyrkish beastiality xxx lesbian hole wifey .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\SysWOW64\config\systemprofile\swedish action lesbian big shoes (Jenna,Melissa).mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\SysWOW64\IME\SHARED\indian animal beast [bangbus] castration .mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\tyrkish gang bang horse [milf] hole (Sonja,Janette).avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\brasilian cumshot xxx voyeur cock mistress (Jade).rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lesbian lesbian titts latex .rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\russian animal hardcore [milf] bondage .mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\System32\DriverStore\Temp\lesbian [free] swallow .mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Updates\Download\beastiality bukkake masturbation lady .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\indian porn trambling [milf] titts Ôï .zip.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CFD7095D-03FC-4A5C-948B-20FAB1B69302}\EDGEMITMP_4CFFA.tmp\brasilian porn trambling [free] gorgeoushorny .zip.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUA671.tmp\blowjob [bangbus] feet .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\american gang bang sperm lesbian mistress .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\russian horse lesbian [milf] titts pregnant (Melissa).mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\tyrkish beastiality lesbian public femdom .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files (x86)\Google\Temp\norwegian hardcore voyeur hole black hairunshaved (Janette).rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files (x86)\Google\Update\Download\brasilian cum fucking catfight bedroom (Gina,Karin).avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files\Microsoft Office\root\Templates\beast lesbian ash .mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\danish beastiality hardcore sleeping redhair .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\beast lesbian titts traffic .rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\indian fetish blowjob big titts upskirt .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files (x86)\Microsoft\Temp\brasilian horse fucking catfight feet hotel .mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files\Common Files\microsoft shared\black action bukkake voyeur feet fishy .mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\hardcore [milf] hole YEâPSè& .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\sperm hot (!) (Liz).avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\fucking public glans .zip.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\japanese beastiality fucking public hole .rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Program Files\dotnet\shared\hardcore catfight swallow .mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\beast sleeping (Tatjana).rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\horse girls (Tatjana).rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\danish animal trambling several models YEâPSè& .mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\trambling hidden glans bedroom .rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\fucking hot (!) feet penetration .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\brasilian animal sperm catfight glans Ôï (Sarah).rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\beastiality beast several models ash .mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\InstallTemp\beastiality xxx [bangbus] feet fishy .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\assembly\tmp\lingerie [bangbus] .mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\Downloaded Program Files\gay full movie titts latex .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\british lesbian full movie hole 40+ .zip.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\german hardcore full movie feet latex .mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\lingerie big hotel .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\fucking full movie titts ash .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\danish cumshot beast catfight swallow .rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\cumshot trambling several models 50+ .zip.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\action lesbian [bangbus] (Janette).zip.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\SoftwareDistribution\Download\black cumshot sperm [bangbus] bedroom .rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\italian cum lingerie big .mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\canadian bukkake [milf] castration .zip.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\spanish bukkake big ash .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\blowjob public feet .mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\german horse public hole .rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\blowjob masturbation titts Ôï .mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\tyrkish nude bukkake sleeping titts black hairunshaved (Janette).rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\german sperm catfight glans penetration .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\french horse [free] .mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\black kicking horse [milf] granny .zip.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\fetish hardcore masturbation mature .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\nude hardcore public feet .rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\porn xxx masturbation .zip.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_21122d7205c6f5b9\porn bukkake hidden titts .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\black fetish horse big titts .mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\malaysia bukkake [bangbus] cock shoes (Samantha).mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\action beast [milf] latex .mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\japanese horse hardcore girls .mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\assembly\temp\brasilian animal horse masturbation .mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\action blowjob masturbation fishy .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\animal sperm girls feet wifey .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\trambling lesbian titts castration .rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\porn beast big high heels (Anniston,Liz).mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\brasilian cum xxx [free] circumcision .mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\horse beast catfight hole pregnant (Sarah).avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\kicking lingerie [milf] cock .zip.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\horse beast [milf] cock (Christine,Samantha).avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\japanese animal blowjob [bangbus] (Sarah).avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\asian xxx masturbation .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\horse hardcore full movie cock .mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\indian action hardcore several models hole swallow .mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\bukkake public high heels .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\horse [bangbus] .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\german lesbian big titts girly .rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\tyrkish fetish lesbian uncut glans ash .rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\russian gang bang bukkake uncut cock .mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\hardcore hidden (Curtney).avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\asian lesbian several models cock .zip.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\japanese action hardcore lesbian titts mistress .rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\canadian lingerie [bangbus] titts blondie .avi.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\canadian lesbian [milf] hole (Kathrin,Janette).mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\german hardcore several models cock traffic .mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_en-us_8dd6053a0a5910eb\swedish fetish beast public titts lady .zip.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\american animal fucking public feet hairy (Sylvia).mpeg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\black kicking beast several models granny .rar.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
File created	C:\Windows\InputMethod\SHARED\japanese kicking blowjob uncut hole shoes (Sylvia).mpg.exe	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
4768	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
1552	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 3556	740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe	93
PID 740 wrote to memory of 3556	740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe	93
PID 740 wrote to memory of 3556	740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe	93
PID 3556 wrote to memory of 4768	3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe	95
PID 3556 wrote to memory of 4768	3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe	95
PID 3556 wrote to memory of 4768	3556	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe	95
PID 740 wrote to memory of 1552	740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe	94
PID 740 wrote to memory of 1552	740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe	94
PID 740 wrote to memory of 1552	740	7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe	94

C:\Users\Admin\AppData\Local\Temp\7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
"C:\Users\Admin\AppData\Local\Temp\7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:740
- C:\Users\Admin\AppData\Local\Temp\7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
  "C:\Users\Admin\AppData\Local\Temp\7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Users\Admin\AppData\Local\Temp\7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
    "C:\Users\Admin\AppData\Local\Temp\7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4768
- C:\Users\Admin\AppData\Local\Temp\7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe
  "C:\Users\Admin\AppData\Local\Temp\7a9feffcac4ceb7ab729a0e77c2dbc0736fd7ebc1943e3254828619294291211.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4472,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:8
1⤵
PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\danish beastiality hardcore sleeping redhair .avi.exe

Filesize
1.9MB

MD5
11649471d26008591f508bda3769eb83

SHA1
a0839549a037d50547a86b1293b0e3bb34c95000

SHA256
906aefcb70897fcc9add763fa35948353f409cfac68ef8c38dc7918f64c96d4d

SHA512
f18a3fc87ed018d7a5eb9ab6d3d7fa310e509de18f21f3699baa4273ede88d73da7b06aaeb90aec043158de8f79b29cf4f38b4457a7a922e6f9dcd917a108f91

Download Submit