1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
Size

1.1MB
MD5

772bfdeac4d23e9c9c2bf22426e9e2a2
SHA1

f769e12bd1cd1a6754f829c1ada839f2fd2b1d6b
SHA256

1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3
SHA512

01a97d0b1a224879f1508682a51dc03cc67c1b40e84df61b6b04e1d39054ef4c2e70ccbaa3203e8a0cf842cf1c8d88d0595a44a48702809c17c38b788fed8b01
SSDEEP

24576:oW0oVP1vZlrhH3x/qLNO5j3hotYuarJEuPob3V27LctAfKR:VBXdHB/qLNEjiOJEc+3odKR

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\P:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\V:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\W:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\E:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\G:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\J:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\L:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\N:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\Q:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\T:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\U:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\X:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\Y:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\Z:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\A:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\B:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\I:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\S:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\H:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\K:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\O:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File opened (read-only)	\??\R:	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\british bukkake lesbian hole bondage .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\action beast masturbation (Sarah,Jade).avi.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\SysWOW64\IME\shared\xxx fetish licking glans (Gina).mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian beast [bangbus] girly .mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\SysWOW64\FxsTmp\xxx [free] swallow .zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\SysWOW64\IME\shared\american beast hot (!) glans ejaculation (Sylvia).mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\lingerie nude public .zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse masturbation swallow .avi.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\SysWOW64\FxsTmp\british beastiality uncut fishy (Melissa,Gina).mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\asian hardcore animal sleeping .zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\beast public mistress .avi.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\bukkake full movie castration .mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\japanese horse licking cock (Sandy).mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\kicking public (Christine,Liz).rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\german animal [free] legs .rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Program Files\Windows Journal\Templates\animal hot (!) sweet (Sandy,Tatjana).mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Program Files (x86)\Google\Temp\gay sperm lesbian .rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Program Files (x86)\Google\Update\Download\porn bukkake sleeping black hairunshaved .rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\gay nude catfight boobs (Sandy,Tatjana).rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\tyrkish hardcore sleeping fishy (Curtney).zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Program Files\DVD Maker\Shared\brasilian gang bang beast catfight hole bedroom (Sandy).rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\horse [bangbus] (Ashley,Janette).mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\hardcore girls mistress .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\trambling voyeur gorgeoushorny .avi.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Program Files\Common Files\Microsoft Shared\bukkake animal licking .zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\gang bang uncut sm (Karin,Karin).zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\beast lesbian bedroom .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\indian sperm bukkake big cock beautyfull (Gina).mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\lesbian big circumcision .mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\african handjob voyeur titts .mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\brasilian xxx licking vagina blondie (Tatjana).mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\fucking several models .avi.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\tyrkish horse gay catfight traffic .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\hardcore fucking hot (!) cock redhair .zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\action big nipples .rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\indian fetish sperm girls .zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\assembly\tmp\tyrkish animal [bangbus] (Curtney,Liz).zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\horse uncut pregnant .mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\chinese cum masturbation .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\italian kicking several models (Sarah,Britney).rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\danish cumshot porn voyeur redhair .rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\xxx licking feet .mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\brasilian gang bang fucking licking stockings .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\trambling animal catfight penetration .zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\chinese trambling girls (Ashley,Sandy).rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\chinese fucking xxx big 50+ .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\sperm masturbation shower .rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\bukkake animal public bedroom .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\asian lingerie beast sleeping feet .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\horse sperm sleeping stockings .rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\danish kicking kicking hidden femdom (Sonja,Gina).rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\horse voyeur (Sarah).rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\asian handjob hot (!) glans .rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\sperm big legs pregnant (Tatjana).mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\asian bukkake several models fishy .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\lesbian sperm uncut fishy .mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\Downloaded Program Files\cum fetish voyeur .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\fucking public vagina .avi.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\canadian kicking sleeping .rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\lesbian trambling masturbation .mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\norwegian kicking action licking YEâPSè& .zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\russian gang bang fucking masturbation mature .avi.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\trambling blowjob catfight castration .mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\indian beastiality [free] .zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\nude lesbian feet .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\cumshot xxx public .avi.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\american lesbian lesbian 50+ .mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\asian beast sperm big redhair .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\spanish lesbian lesbian (Ashley).mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\beastiality big ash .zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\russian beast [free] (Sylvia,Samantha).mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\fetish [free] .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\security\templates\tyrkish fucking beastiality voyeur feet (Britney,Liz).mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\fucking fucking [free] .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\lesbian hot (!) hole (Curtney,Anniston).mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\swedish beast girls ash .mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\swedish horse bukkake public .avi.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\black sperm beastiality [bangbus] fishy (Gina).zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\norwegian fucking fucking big nipples YEâPSè& .zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\SoftwareDistribution\Download\horse cumshot public pregnant .zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\beastiality catfight (Tatjana).mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\american lingerie cum sleeping glans blondie .mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\italian nude hardcore [bangbus] feet girly .mpg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\PLA\Templates\american fetish blowjob licking .avi.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\trambling lesbian uncut feet YEâPSè& (Samantha,Sonja).zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\chinese lesbian lingerie public .zip.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\beast bukkake licking gorgeoushorny (Jenna,Christine).mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\trambling voyeur 50+ .mpeg.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\xxx fucking hot (!) nipples ejaculation (Tatjana).rar.exe	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
1796	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 2472	2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe	28
PID 2360 wrote to memory of 2472	2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe	28
PID 2360 wrote to memory of 2472	2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe	28
PID 2360 wrote to memory of 2472	2360	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe	28
PID 2472 wrote to memory of 1796	2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe	29
PID 2472 wrote to memory of 1796	2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe	29
PID 2472 wrote to memory of 1796	2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe	29
PID 2472 wrote to memory of 1796	2472	1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe	29

C:\Users\Admin\AppData\Local\Temp\1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
"C:\Users\Admin\AppData\Local\Temp\1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
  "C:\Users\Admin\AppData\Local\Temp\1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Users\Admin\AppData\Local\Temp\1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe
    "C:\Users\Admin\AppData\Local\Temp\1fb9a16ae0a6eea8f6ae93fac899e73ff4d06a078489617f163fce0be2b8c1f3.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\beast public mistress .avi.exe

Filesize
957KB

MD5
d42a6dfe9a96772cbded5754e57ac2ef

SHA1
29fc18fe2745aeaa49ad927f88edab5ce72069ba

SHA256
d24de8bf42de562baf86714c802f431a717aab3489b3c5b89d7121c7852ff4b4

SHA512
254da5d5dadf671342adc1f7325126e938b661a16c156cc3d43d695ad4e8134fccad62c52fa29d8170f5408fb8c14d3fcf309d0f4acff6f6d239039ee06d82bc

Download Submit
C:\debug.txt

Filesize
183B

MD5
516cb686d0bc95d3dfdffa5f2e113917

SHA1
1b484e90785155c823275578df08295c91437589

SHA256
043bbcd2d737cedbbf217527fed3779c7802fa521ad8b1d91ac8d22b6e114b6a

SHA512
313376eaa2d6ecd0963be432a0bc5ed66820c34bc319a1b7a44130a650e4031c66b1a66f7f33cc98e0ad4463b8fb7a8cedb4d82a855ba6079b21c04d28744608

Download Submit