8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e

Analysis

max time kernel
150s
max time network
157s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
Size

1.8MB
MD5

30f8ce3192c4781b8f5726ff898a41c9
SHA1

3644f7d6ea6775fbe02a8695020fdabb693cd125
SHA256

8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e
SHA512

fff8fdbeb6ee88d889b4676cb6d18919573988d3a82a42c5d7f91bcbe03ac1d7cc6c71be4417adff2ef988f8c9f6b69b44364b47bf6c799d90df77743a4b3e81
SSDEEP

49152:VtElUWZ2VNfGWm3GaLyybOScTw336PrLiHCCdM6Yi5N:Dd3xABVbOScMWeD/

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\W:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\X:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\M:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\E:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\G:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\I:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\K:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\Q:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\S:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\T:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\A:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\Y:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\O:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\U:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\Z:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\L:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\H:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\J:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\P:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\R:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\V:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File opened (read-only)	\??\B:	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\fetish [milf] .zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\System32\DriverStore\Temp\cumshot gang bang catfight (Kathrin).mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\SysWOW64\config\systemprofile\nude lesbian .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\tyrkish gang bang lingerie public cock latex .zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\sperm public fishy .avi.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\SysWOW64\FxsTmp\brasilian horse [bangbus] black hairunshaved (Jade).zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\SysWOW64\IME\shared\fetish fetish girls feet gorgeoushorny (Sonja).zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\brasilian cumshot kicking sleeping (Janette).zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\SysWOW64\FxsTmp\action beast licking glans pregnant .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\SysWOW64\IME\shared\danish bukkake animal hot (!) Ôë (Sonja).zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\xxx bukkake big leather .mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Program Files (x86)\Google\Temp\american cum beast [bangbus] .mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\german lesbian uncut .rar.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\fucking nude uncut black hairunshaved .avi.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\swedish kicking porn [milf] beautyfull .zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\lesbian hot (!) cock .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Program Files\Windows Journal\Templates\black fetish nude hot (!) legs sweet .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Program Files (x86)\Google\Update\Download\french fucking porn sleeping (Jade).avi.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\russian nude animal big young (Curtney,Samantha).mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\brasilian blowjob sleeping .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Program Files\DVD Maker\Shared\british gang bang nude girls hole sm (Melissa,Anniston).zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\black sperm catfight wifey .zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\handjob lingerie catfight shoes (Samantha,Christine).rar.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\norwegian nude catfight legs .mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\german lingerie nude big vagina .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\brasilian horse [bangbus] balls .avi.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\japanese fetish beastiality [milf] upskirt .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\brasilian xxx licking leather (Gina,Sonja).zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\lesbian several models titts circumcision .mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\kicking bukkake [milf] balls .rar.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\german sperm cumshot public shoes .zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\security\templates\tyrkish lingerie several models latex (Melissa,Karin).mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\tyrkish sperm porn catfight .rar.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\gang bang hardcore hot (!) pregnant .mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\bukkake horse hot (!) .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\InstallTemp\chinese action girls boots .avi.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\african handjob gang bang several models vagina (Christine).mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\black animal bukkake [free] hairy .rar.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\cumshot [free] hole YEâPSè& .rar.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\fucking big .zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\swedish sperm porn hidden .avi.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\asian lesbian public legs (Christine,Jenna).mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\norwegian lingerie sleeping bedroom (Sonja,Jenna).avi.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\horse lesbian 40+ .rar.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\black blowjob lesbian redhair .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\sperm handjob hot (!) YEâPSè& (Janette).zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\italian blowjob several models cock .mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\assembly\tmp\american fucking [free] black hairunshaved .mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\cum uncut legs wifey .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\malaysia animal kicking lesbian .avi.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\chinese nude [milf] boobs gorgeoushorny (Samantha).avi.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\indian kicking animal [bangbus] redhair .mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\kicking bukkake full movie .mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\mssrv.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\african beastiality horse voyeur black hairunshaved .zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\beast lesbian uncut cock black hairunshaved .mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\american hardcore porn hot (!) redhair .avi.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\nude sperm public boobs swallow (Sonja).zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\german gay hot (!) (Christine).rar.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\beastiality gay public black hairunshaved (Curtney).rar.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\african fucking gay uncut pregnant (Gina,Sonja).zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\danish horse [free] fishy (Sonja,Janette).mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\swedish lesbian catfight young .rar.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\norwegian beastiality [bangbus] pregnant (Liz,Kathrin).mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\malaysia bukkake masturbation black hairunshaved .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\french action lingerie hidden bondage .avi.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\Downloaded Program Files\horse hot (!) hole YEâPSè& (Sonja).zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\PLA\Templates\british sperm hardcore masturbation ejaculation .avi.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\italian animal horse girls .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\action sleeping wifey .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\german gang bang action licking blondie .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\malaysia hardcore several models glans traffic (Ashley).mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\brasilian hardcore animal uncut YEâPSè& (Sonja,Liz).mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\fucking public (Samantha).zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\spanish horse [bangbus] mistress .avi.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\indian lesbian action girls .mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\hardcore hidden beautyfull .zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\kicking [free] boobs .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\french fetish lingerie big redhair .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\chinese lesbian cum several models hole traffic (Karin,Karin).mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\beast cum big legs fishy .zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\assembly\temp\swedish handjob licking gorgeoushorny .mpg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\spanish action [bangbus] .avi.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\brasilian animal big titts .rar.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\swedish horse lingerie [free] penetration .rar.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\trambling fucking big young (Gina,Sonja).rar.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\SoftwareDistribution\Download\british cumshot blowjob [free] ìï .zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\action beast catfight 50+ .zip.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\british lesbian [milf] titts ejaculation .mpeg.exe	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
2936	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2488	1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe	28
PID 1636 wrote to memory of 2488	1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe	28
PID 1636 wrote to memory of 2488	1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe	28
PID 1636 wrote to memory of 2488	1636	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe	28
PID 2488 wrote to memory of 2936	2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe	29
PID 2488 wrote to memory of 2936	2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe	29
PID 2488 wrote to memory of 2936	2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe	29
PID 2488 wrote to memory of 2936	2488	8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe	29

C:\Users\Admin\AppData\Local\Temp\8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
"C:\Users\Admin\AppData\Local\Temp\8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
  "C:\Users\Admin\AppData\Local\Temp\8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Users\Admin\AppData\Local\Temp\8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe
    "C:\Users\Admin\AppData\Local\Temp\8071ebc2c4db124b9845577c1404cc1d56e7d4e5bca4f42a09987f162042da9e.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\black sperm catfight wifey .zip.exe

Filesize
577KB

MD5
1f7befe84a9646d881f48e3c73d13f9c

SHA1
932e3554662577c896762ecdb6d9340dd3d470e9

SHA256
ae08c77ff87ce184a315f54f5d534a5d65ae1c686d168fa35f8e9863524e3370

SHA512
2c584be78b73d0f8259182a84817e2803263be5ef0f693a434d4b516dd134b7b0c9b2de31bf6d4c985616ab924d40c8d7f3b55673e4d4fab1de80bf3d692b295

Download Submit
C:\debug.txt

Filesize
183B

MD5
0c06f6d308eeb0766233778ffaae3fbf

SHA1
4e73a70675853672740bfed3d1378efb3c82388d

SHA256
f8bcbe1196271e95e804be562c27ed178cc88e8eddf07c22da4dc5afc2a453ef

SHA512
bc6a4c0b2aa5daa9bce43e214b2ddd6d2ef8b302af132dbbeba49627dc19b896e366389fea262f8a0ac7facc9ac3db0b00f956da5b72aed1be4bf790032a5f67

Download Submit