7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29/06/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
Size

1.6MB
MD5

8b82c94e05cd618f0b543678d513f197
SHA1

225802b65ce6797e7a01dbf5746ee0d736dab6e6
SHA256

7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf
SHA512

5fe4cdf78f9cd4bb064102b7a71de1abe9382330984f43754c27f46f685810849a105712ed9e862ceaceb8ee39a20cfc7e2f49d8dd99ffa0c6ff9465ac68b6b6
SSDEEP

49152:BwIkMiyXfJErkYuqmhnKy45JOgTzfb2Vl3T/Bh3ES2:SyxqkYuUJOgvb2TT/BqS2

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\P:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\A:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\E:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\H:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\U:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\M:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\R:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\V:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\X:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\I:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\J:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\K:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\L:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\Z:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\S:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\T:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\W:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\Y:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\G:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\N:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\O:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File opened (read-only)	\??\Q:	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\american porn hardcore sleeping .mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\System32\DriverStore\Temp\danish cumshot sperm licking upskirt .mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\sperm full movie cock swallow .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\SysWOW64\config\systemprofile\blowjob catfight young (Jenna,Sarah).rar.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish beastiality fucking girls glans wifey (Sylvia).zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\SysWOW64\FxsTmp\italian handjob xxx voyeur .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\SysWOW64\IME\shared\tyrkish action fucking [bangbus] leather .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\SysWOW64\config\systemprofile\american nude xxx girls high heels .rar.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish kicking trambling uncut bondage .mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\SysWOW64\IME\shared\indian gang bang lesbian public girly .mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Download\american horse fucking full movie cock stockings .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\brasilian cum sperm licking 50+ (Anniston,Sylvia).avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Program Files\Common Files\Microsoft Shared\danish horse sperm masturbation gorgeoushorny .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Program Files\Windows Journal\Templates\indian horse horse [free] traffic .mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\black handjob beast public feet penetration .rar.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\bukkake masturbation titts .mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\lingerie [free] hole .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\russian cum bukkake hot (!) cock boots (Karin).mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Program Files (x86)\Google\Temp\sperm voyeur .rar.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\trambling hidden sweet .rar.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\russian porn fucking full movie girly .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Program Files\DVD Maker\Shared\italian action fucking girls .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\russian animal gay catfight feet .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\blowjob hot (!) .mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\indian cum horse big (Jade).avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\tmp\italian kicking horse hidden (Curtney).mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\tyrkish horse beast girls cock .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\spanish sperm big (Janette).mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\spanish bukkake hot (!) glans high heels (Samantha).zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\spanish trambling girls shoes .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\asian lesbian hidden feet swallow (Jade).avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\russian cum hardcore licking glans 50+ .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\swedish animal sperm several models bondage .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\norwegian sperm full movie feet bondage .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\tyrkish gang bang lingerie [free] fishy .mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\american horse gay [bangbus] (Janette).mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\black gang bang fucking [bangbus] glans hairy .mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\porn gay uncut lady .mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\german lingerie masturbation redhair .rar.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\assembly\temp\brasilian action gay [milf] ìï .mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\cum fucking catfight cock .mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\Temp\tyrkish beastiality horse lesbian .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\danish cumshot trambling [free] circumcision .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\russian cum xxx hot (!) cock shoes (Samantha).avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\action beast hidden cock .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\tyrkish horse bukkake several models young .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\black handjob beast [free] (Samantha).rar.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\beastiality beast hidden granny (Christine,Sarah).rar.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\brasilian kicking fucking full movie cock shoes (Jade).avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\danish animal sperm sleeping cock boots .mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\brasilian porn beast public stockings .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\african blowjob [free] balls (Anniston,Liz).zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fucking catfight titts .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\bukkake uncut hole YEâPSè& .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\blowjob hidden .mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\security\templates\danish cum lingerie [milf] hairy (Ashley,Sarah).mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\horse masturbation cock .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\german sperm [bangbus] titts (Anniston,Karin).mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\fetish blowjob hot (!) .mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\norwegian gay [free] hotel .mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\swedish action blowjob uncut lady .rar.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\swedish gang bang horse several models feet .rar.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\black porn xxx full movie 50+ (Anniston,Tatjana).avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\african lesbian hot (!) .mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\brasilian action bukkake [milf] hole wifey .mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\danish horse fucking public swallow .mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\black cum lesbian sleeping sweet .mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\tyrkish horse hardcore uncut boots .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\action blowjob [free] (Melissa).zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\french beast sleeping feet .mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\hardcore girls circumcision .rar.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\danish gang bang sperm [bangbus] granny .rar.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\indian horse beast public cock circumcision (Curtney).mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\british lesbian [bangbus] titts .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\lesbian lesbian hotel (Sandy,Samantha).avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\russian nude lingerie voyeur shower .mpeg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\russian porn blowjob licking titts .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\lingerie several models .rar.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\malaysia xxx lesbian shower .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\kicking bukkake big leather .rar.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\danish porn trambling catfight glans circumcision (Tatjana).zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\brasilian porn xxx voyeur femdom .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\norwegian xxx several models .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\horse full movie hole hotel (Jade).avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\blowjob full movie bedroom .mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\asian lesbian full movie hole .mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\african lesbian licking .avi.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\brasilian cumshot lingerie [free] .mpg.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\british fucking full movie gorgeoushorny .zip.exe	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2608	2428	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2428	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2428	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2428	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2428	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2428	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2428	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
2592	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 2764	2428	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe	28
PID 2428 wrote to memory of 2764	2428	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe	28
PID 2428 wrote to memory of 2764	2428	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe	28
PID 2428 wrote to memory of 2764	2428	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe	28
PID 2764 wrote to memory of 2592	2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe	29
PID 2764 wrote to memory of 2592	2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe	29
PID 2764 wrote to memory of 2592	2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe	29
PID 2764 wrote to memory of 2592	2764	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe	29
PID 2428 wrote to memory of 2608	2428	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe	30
PID 2428 wrote to memory of 2608	2428	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe	30
PID 2428 wrote to memory of 2608	2428	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe	30
PID 2428 wrote to memory of 2608	2428	7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe	30

C:\Users\Admin\AppData\Local\Temp\7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
"C:\Users\Admin\AppData\Local\Temp\7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
  "C:\Users\Admin\AppData\Local\Temp\7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe
    "C:\Users\Admin\AppData\Local\Temp\7c599d4c1205594121faaf722a55e169b736896e7d13afed83f4a190b6768bbf.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 608
  2⤵
  - Program crash
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\russian cum bukkake hot (!) cock boots (Karin).mpg.exe

Filesize
278KB

MD5
b80fb99f9f544afa289698f619677925

SHA1
58109a2b3936722157e12f5e9fcb1f527953765b

SHA256
bf8c08e429c4541b3bceeb49abdbee0a7032847882ef7bacb49dc03df436f03f

SHA512
9dcacb37e5cb9fe24a0a8e6623b0c5e1af0d4b25c4a461cd29b543d1633971d4f87c38fdbb5680bc7ff011202a904886aa297c906bf89dd21321190cc0741f74

Download Submit
C:\debug.txt

Filesize
183B

MD5
4648379c6bbd1346f6c566a6aa74a686

SHA1
012dcc077938cebfa491600171c8e95cba1047ff

SHA256
0fba754eee4c354d90acdbd5068f06e677dadf58b9a9e33968881641f6c0feac

SHA512
1ac08106037b59279085d7e2672b947b3671ab650f8d1c48095133d2849b23910324ba7403bcf28401bf3b55c0965af59f2634530543f818ce73417e68c8060a

Download Submit