0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
Size

1.6MB
MD5

1491bbe84e8aaa83807b888c3a938eec
SHA1

538283d39a8a79c3a74b18e1fa9b55de963f7392
SHA256

0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f
SHA512

2919eb6618a2003827df467c6d9efdb64a6d97edf2090a4235e9f94a8fc0f969d08dbe58a9d63364fb86a8312d1b7321c8eb50154716e98ccf81cb5a8da2566d
SSDEEP

49152:VzY/VNZXZAR0QN063qIacEEVGw0hvNMY9xs4:1Y/VNbShNjqIacEEVmhvFs4

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 4 IoCs

resource	yara_rule
behavioral1/memory/2360-0-0x0000000000400000-0x000000000042B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/files/0x000a000000015ca0-5.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2576-70-0x0000000000400000-0x000000000042B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/316-86-0x0000000000400000-0x000000000042B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\M:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\O:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\R:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\X:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\H:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\J:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\K:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\L:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\S:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\U:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\W:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\Z:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\I:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\N:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\Q:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\T:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\Y:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\A:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\B:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\E:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\P:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File opened (read-only)	\??\V:	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\spanish fetish licking high heels (Sarah).zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\SysWOW64\IME\shared\american beastiality public boobs (Janette).mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\SysWOW64\config\systemprofile\italian animal horse full movie .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\SysWOW64\FxsTmp\sperm action sleeping hole traffic .avi.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse full movie .mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\canadian animal gay big (Karin,Sarah).mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\brasilian trambling hidden legs 50+ .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\SysWOW64\IME\shared\brasilian beast sleeping wifey .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\System32\DriverStore\Temp\norwegian bukkake xxx sleeping glans .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\african cum sleeping boobs bedroom .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\hardcore xxx girls feet upskirt .avi.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Program Files (x86)\Google\Update\Download\handjob licking (Christine).avi.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\danish sperm cum lesbian vagina .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\russian cumshot licking Œß .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Program Files\DVD Maker\Shared\american porn nude several models boobs redhair .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Program Files (x86)\Google\Temp\black kicking cumshot hidden high heels .mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\gang bang voyeur black hairunshaved .zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\gang bang hardcore big ash .mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\swedish action cumshot lesbian (Karin).mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\beast hot (!) leather (Karin).mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\beast full movie girly .mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Program Files\Windows Journal\Templates\sperm animal public boobs .avi.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\german porn catfight feet sweet .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\cumshot catfight titts castration (Christine,Karin).mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\animal voyeur .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\american porn big .avi.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\kicking voyeur nipples balls (Sylvia,Gina).mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\tyrkish handjob masturbation ìï .zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\brasilian kicking horse big circumcision .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\swedish horse animal [milf] traffic (Christine).zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\blowjob gang bang voyeur (Anniston,Sonja).mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\italian horse sperm sleeping boobs gorgeoushorny .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\tyrkish horse bukkake licking sm .zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\black horse nude catfight .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\chinese horse porn [milf] bondage .mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\lingerie lingerie [bangbus] legs mature (Gina,Christine).zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\asian nude [milf] vagina ash .avi.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\italian kicking gay [bangbus] .avi.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\animal kicking lesbian mature (Sonja).mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\spanish horse hot (!) wifey .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\swedish fucking lesbian sleeping beautyfull .zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\beast cumshot voyeur legs tÛ (Liz).mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\indian action [free] mature (Sandy).mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\russian kicking sleeping .zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\SoftwareDistribution\Download\brasilian beast uncut (Karin).mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\sperm horse hidden nipples circumcision .avi.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\british bukkake gang bang uncut .mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\japanese xxx sleeping .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\american animal fetish public castration .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\beast public (Ashley,Curtney).zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\nude masturbation hole bedroom .avi.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\assembly\temp\danish kicking hardcore public gorgeoushorny .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\canadian trambling action lesbian .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\fucking handjob big bondage .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\security\templates\gay blowjob big hairy .mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\fucking handjob big granny .zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\chinese xxx horse uncut .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\blowjob action several models shoes .mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\InstallTemp\fucking uncut .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\action big Ôë (Sylvia,Sandy).mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\japanese handjob handjob [bangbus] swallow .zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\russian handjob fetish public 40+ .avi.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\danish hardcore handjob girls lady (Janette,Gina).avi.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\brasilian beastiality hot (!) balls .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\french bukkake full movie feet .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\PLA\Templates\tyrkish cumshot fucking hot (!) swallow .mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\british lesbian gang bang public lady .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\bukkake lingerie lesbian shoes .zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\trambling voyeur hole (Sandy).rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\hardcore kicking public glans .zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\chinese gang bang nude [milf] 50+ .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\american nude lesbian legs .zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\tyrkish handjob several models high heels .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\cum lesbian (Gina,Sonja).zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\african porn blowjob licking girly .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\indian beast lesbian hotel .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\lingerie beastiality [bangbus] balls .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\german bukkake licking redhair .mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\indian lesbian trambling catfight cock hotel .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\animal full movie gorgeoushorny (Anniston,Jenna).mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\norwegian lingerie hardcore catfight femdom (Sonja).mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\trambling [free] legs boots .zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\hardcore big mistress .avi.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\handjob hardcore girls vagina leather (Jenna).mpeg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\chinese lingerie kicking voyeur femdom (Gina).zip.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\fetish hardcore voyeur hole stockings (Melissa,Anniston).rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\malaysia fetish [bangbus] vagina fishy .mpg.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\british beast cumshot [free] .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian horse [free] tÛ .rar.exe	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
316	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2576	2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe	28
PID 2360 wrote to memory of 2576	2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe	28
PID 2360 wrote to memory of 2576	2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe	28
PID 2360 wrote to memory of 2576	2360	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe	28
PID 2576 wrote to memory of 316	2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe	29
PID 2576 wrote to memory of 316	2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe	29
PID 2576 wrote to memory of 316	2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe	29
PID 2576 wrote to memory of 316	2576	0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe	29

C:\Users\Admin\AppData\Local\Temp\0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
"C:\Users\Admin\AppData\Local\Temp\0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
  "C:\Users\Admin\AppData\Local\Temp\0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe
    "C:\Users\Admin\AppData\Local\Temp\0840b755947d033cd9a22e3e90f157720b3057e027347ac49d7f2498c287df2f.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\swedish action cumshot lesbian (Karin).mpg.exe

Filesize
1.6MB

MD5
a391b1b61dc319d2a9e41f44e1bb3f39

SHA1
c70117dea7e22481cac7b29bf44c2299d576c44d

SHA256
f1ce89c60f9bb515a50bef844121e5a1245b5f8fbc894a9a556ad5ea003a589b

SHA512
0db99b5a2c56f5d5467c0891f1b142b198eb7f8f9021692ce189b9a79e95866398858f36cfdcfffad80b2d13c781c8511398ed0b8c193054675539156396761d

Download Submit
C:\debug.txt

Filesize
183B

MD5
835d7ac88628fad72ec070c0edbd9d8b

SHA1
7e3a97a99e0e256f1902c496022c74bcbb30f619

SHA256
ed6040df288e779326f652e3f746585e1e98cb6ebc86b9b5ce27af88b2e5e335

SHA512
8b04620e379d3d4419f55e66d4f12a7dc5ace485185d725dda5c005e34097eb08669f39372a82f62b6834245ec2495ab3b941abdb93be34ca6ff95cfd7536fa2

Download Submit
memory/316-86-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2360-69-0x0000000004BD0000-0x0000000004BFB000-memory.dmp

Filesize
172KB

Download
memory/2576-70-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2576-85-0x0000000004DE0000-0x0000000004E0B000-memory.dmp

Filesize
172KB

Download