f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
Size

412KB
MD5

20d075527b5b9fb46e4a58d5667c3f57
SHA1

192de0125d718ed42931c60ea5703785843af892
SHA256

f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44
SHA512

d4b365117484a32e98dd736e939a9307c1e572dd78ab89df64ae3c0580f43e309a56ede75b968d89309f6f1df15255c2fcac940b6eca4ca35de63feb5ec65c6d
SSDEEP

12288:A//vi9BVcygfbbZfyUbcOgqIZxcTW5uYH:2wVKFAxV4yUYH

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000015e3c-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\J:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\N:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\P:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\V:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\X:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\H:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\E:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\G:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\U:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\A:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\O:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\W:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\Y:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\K:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\L:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\M:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\Q:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\R:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\S:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\T:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\Z:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File opened (read-only)	\??\B:	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\japanese gang bang trambling [milf] wifey .zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\SysWOW64\config\systemprofile\tyrkish cum blowjob masturbation hole .rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\trambling licking .mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\SysWOW64\FxsTmp\brasilian kicking sperm big ejaculation .rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\SysWOW64\IME\shared\swedish cum lesbian girls (Sylvia).mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian animal blowjob girls feet .zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\lesbian full movie penetration .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\SysWOW64\FxsTmp\italian cum xxx hot (!) .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\SysWOW64\IME\shared\lingerie [bangbus] hole .mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\horse full movie .mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian nude bukkake girls redhair (Sandy,Sarah).rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\bukkake big high heels .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\danish nude fucking hidden balls .zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\xxx hot (!) redhair .mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\russian cumshot sperm catfight sm (Gina,Curtney).zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Program Files\Windows Journal\Templates\italian fetish fucking big hairy .zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\lesbian [bangbus] penetration (Christine,Samantha).zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Program Files (x86)\Google\Temp\blowjob girls cock (Kathrin,Liz).mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Program Files\Common Files\Microsoft Shared\bukkake full movie feet high heels (Jade).mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\russian beastiality lesbian big bedroom .mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\japanese kicking beast voyeur cock 40+ .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\sperm masturbation glans .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Program Files\DVD Maker\Shared\blowjob full movie .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Program Files (x86)\Google\Update\Download\trambling girls titts hotel (Sarah).zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\swedish cum sperm several models sm .mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\canadian horse public .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\italian porn fucking several models feet .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\cum fucking [free] .mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\spanish hardcore big .mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\danish cum beast licking hole (Christine,Janette).rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\cum beast [milf] titts stockings .mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\lesbian uncut glans latex (Curtney).avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\sperm girls .mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\italian gang bang fucking hot (!) ejaculation (Sonja,Tatjana).mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\swedish animal horse [bangbus] glans hotel (Sarah).rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\french lingerie catfight cock .mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\brasilian kicking beast catfight cock gorgeoushorny .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\brasilian fetish xxx hidden titts .rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\russian porn fucking full movie hole ejaculation .mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\gay girls .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\italian gang bang blowjob catfight (Janette).rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\swedish handjob fucking full movie feet bondage (Janette).zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\german lingerie uncut hotel (Sonja,Janette).avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\beastiality lesbian [free] (Tatjana).zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\xxx hot (!) hole hairy .rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\trambling [free] cock 40+ .mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\xxx [bangbus] lady .zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\blowjob voyeur blondie .zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\french lesbian [bangbus] .mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\swedish gang bang lesbian hot (!) titts pregnant (Karin).rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\porn lingerie hidden .zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\assembly\tmp\indian action lesbian voyeur shoes .rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\InstallTemp\horse gay [free] (Sarah).rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\gay masturbation .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\security\templates\blowjob public hole leather .rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\sperm big titts girly (Janette).zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\trambling uncut circumcision .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\fucking big black hairunshaved .mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\british trambling full movie penetration .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\sperm several models .mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\Downloaded Program Files\brasilian handjob horse voyeur feet 50+ (Jade).zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\black gang bang hardcore [milf] titts .zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\italian gang bang beast uncut feet (Kathrin,Janette).avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\asian lesbian big ejaculation .mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\indian nude bukkake voyeur bondage (Britney,Tatjana).mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\xxx girls hole girly (Curtney).rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\russian cumshot lesbian full movie ejaculation .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\kicking fucking big .zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\kicking xxx sleeping hole sweet (Sylvia).mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\chinese horse public girly .zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\american fetish xxx public hole beautyfull (Melissa).mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\african fucking [free] cock castration .zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\italian action lingerie hot (!) .mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\american cumshot bukkake licking bondage (Jenna,Curtney).zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\horse horse licking bondage (Sonja,Melissa).zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\porn lingerie voyeur redhair .mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\norwegian lesbian big lady .mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\asian lingerie lesbian .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\PLA\Templates\brasilian action lesbian lesbian feet balls (Janette).rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\handjob lingerie uncut titts (Britney,Janette).zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\brasilian cumshot gay voyeur (Karin).zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\black porn fucking uncut sm .zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\danish action gay catfight glans fishy (Samantha).mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\sperm [free] (Melissa).rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\chinese sperm catfight .rar.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\gang bang xxx big hairy .mpg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\cumshot horse girls young (Sandy,Tatjana).mpeg.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\hardcore full movie high heels (Christine,Melissa).zip.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\swedish nude bukkake sleeping feet .avi.exe	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
1464	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2712	2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe	28
PID 2480 wrote to memory of 2712	2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe	28
PID 2480 wrote to memory of 2712	2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe	28
PID 2480 wrote to memory of 2712	2480	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe	28
PID 2712 wrote to memory of 1464	2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe	29
PID 2712 wrote to memory of 1464	2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe	29
PID 2712 wrote to memory of 1464	2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe	29
PID 2712 wrote to memory of 1464	2712	f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe	29

C:\Users\Admin\AppData\Local\Temp\f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
"C:\Users\Admin\AppData\Local\Temp\f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Users\Admin\AppData\Local\Temp\f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
  "C:\Users\Admin\AppData\Local\Temp\f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe
    "C:\Users\Admin\AppData\Local\Temp\f8757ccffc48814a8a225638514354d81e7ee83d19a45985400f17071d0c2f44.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian nude bukkake girls redhair (Sandy,Sarah).rar.exe

Filesize
866KB

MD5
b7df459237872c25a29658309480961d

SHA1
8f0393437a4623effbade96f03d4098a171dea4d

SHA256
b979c7a4c95acc2420a0b2ad0986181188e4f7ec8a5043ea0b1ba36ac6e4de33

SHA512
87d764babd1ed45ee361284d79fb21ef04b018ddc7f0b742a2f1f6e2fa9716f32ab9962b367eeec56c5fec63f5da4b3750bf96b3ce61f1f799f4242068753f30

Download Submit