298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8

Analysis

max time kernel
152s
max time network
163s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
Size

895KB
MD5

87121f3a5ff886446bf496b1a54d0bb0
SHA1

ae4e88250d29909ffa0cdbaa4425d17aa3895d52
SHA256

298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8
SHA512

ebd5d8f35f68c02161223e17003a6158e81bfdaa19873da4c9466766efd53d0132527c9467b94b05b3b071f649215205475779317da888c00530ab41b48d00e8
SSDEEP

24576:2wsKuU3hsn3oetSz31nq4AzqysGM1OUBI9I63aXh:hs8hsn4et6304A2ysDkB9Iwsh

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\Y:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\H:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\R:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\T:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\K:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\M:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\Q:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\S:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\W:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\E:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\I:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\J:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\Z:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\A:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\L:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\O:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\P:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\U:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\X:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\B:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\G:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File opened (read-only)	\??\N:	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\asian animal beast licking ash .mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\SysWOW64\config\systemprofile\italian action hot (!) .rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\System32\DriverStore\Temp\cumshot hidden penetration .mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\SysWOW64\IME\shared\british beastiality hot (!) beautyfull .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\SysWOW64\config\systemprofile\asian sperm full movie .mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\SysWOW64\FxsTmp\russian porn [bangbus] redhair (Sonja,Jenna).avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\SysWOW64\IME\shared\indian sperm cumshot [free] (Ashley).rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian lesbian [bangbus] .avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\SysWOW64\FxsTmp\japanese handjob lesbian fishy .mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\action xxx licking .avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\american hardcore cum big .mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\swedish nude [bangbus] (Karin).zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Program Files (x86)\Google\Update\Download\kicking hardcore full movie (Jade).mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Program Files (x86)\Google\Temp\fucking girls boobs .mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\malaysia blowjob lesbian girly (Kathrin,Ashley).mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\brasilian handjob licking Œß (Sandy,Sylvia).mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\lesbian xxx masturbation feet bedroom .rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\french sperm trambling [free] .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Program Files\Common Files\Microsoft Shared\brasilian horse several models black hairunshaved .rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\horse uncut sweet .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\german nude animal girls .rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\german horse sleeping titts .avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Program Files\DVD Maker\Shared\indian cum fetish licking hole young .mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Program Files\Windows Journal\Templates\beast cum hot (!) ash (Curtney).zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\german beast licking ash beautyfull .mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\porn [milf] .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\asian lingerie masturbation (Tatjana).mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\hardcore bukkake girls legs lady .avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\chinese lingerie bukkake licking titts gorgeoushorny .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\bukkake lingerie masturbation traffic (Tatjana).avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\nude [bangbus] .mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\russian cumshot [free] girly (Curtney).rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\danish bukkake horse lesbian boobs .avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\malaysia beastiality hot (!) titts .mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\asian handjob kicking [bangbus] beautyfull (Ashley).zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\horse hot (!) .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\action cumshot catfight swallow .rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\lesbian [bangbus] leather .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\african beast trambling [bangbus] hole lady .avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\german nude handjob hot (!) mature .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\japanese trambling blowjob [bangbus] circumcision .avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\fucking hot (!) cock .rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\italian handjob fetish catfight nipples YEâPSè& (Sonja,Curtney).avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\fetish masturbation (Kathrin).mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\japanese fetish trambling [milf] balls .avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\black cum gay sleeping granny .mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\security\templates\russian fetish horse lesbian legs (Sonja).zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\blowjob blowjob uncut .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\horse nude [milf] glans boots .avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\tyrkish sperm cum sleeping ejaculation .rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\danish beast [milf] 40+ (Curtney,Britney).rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\beast nude [milf] ash (Karin).mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\blowjob horse licking YEâPSè& (Melissa,Sarah).zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\african sperm blowjob uncut beautyfull .rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\nude sleeping circumcision .mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\hardcore xxx [milf] .mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\black fucking lingerie licking titts redhair (Gina).avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\Temp\american gang bang uncut .mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\assembly\temp\porn full movie circumcision .mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\tyrkish hardcore horse public latex (Britney).mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\danish horse big .mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\german horse big penetration .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\assembly\tmp\african horse full movie feet wifey .mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\gang bang cumshot public glans .rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\malaysia sperm [bangbus] mistress .rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\fucking fucking [bangbus] granny .avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\sperm public (Anniston).zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\african bukkake uncut latex .rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\indian cumshot licking .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\swedish cumshot beast [bangbus] wifey (Sarah,Britney).mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\lingerie handjob full movie nipples bondage (Sarah,Karin).zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\black cumshot public sm .mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\spanish beast fucking sleeping legs .rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\japanese handjob gang bang [bangbus] ash mature .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\fucking hot (!) feet .mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\handjob lesbian glans mature (Britney).mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\chinese beast licking hole (Curtney,Anniston).mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\horse full movie circumcision .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\african xxx blowjob lesbian (Janette).rar.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\asian xxx animal lesbian mistress .mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\malaysia cum animal masturbation feet .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\german lesbian hot (!) hole girly .avi.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\hardcore several models vagina (Sandy,Sonja).mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\cum horse big boots .mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\trambling horse full movie ejaculation .mpg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\chinese xxx girls .mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\malaysia trambling full movie .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\gay girls .mpeg.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\russian cum [free] feet .zip.exe	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2744	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2268	2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe	30
PID 2456 wrote to memory of 2268	2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe	30
PID 2456 wrote to memory of 2268	2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe	30
PID 2456 wrote to memory of 2268	2456	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe	30
PID 2268 wrote to memory of 2744	2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe	31
PID 2268 wrote to memory of 2744	2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe	31
PID 2268 wrote to memory of 2744	2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe	31
PID 2268 wrote to memory of 2744	2268	298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe	31

C:\Users\Admin\AppData\Local\Temp\298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
"C:\Users\Admin\AppData\Local\Temp\298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Local\Temp\298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
  "C:\Users\Admin\AppData\Local\Temp\298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe
    "C:\Users\Admin\AppData\Local\Temp\298220726a33e54d2ea3726c815b162714dc0700fb34ee14ba4f640243d58fb8.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\american hardcore cum big .mpeg.exe

Filesize
1.2MB

MD5
b4fa66acb39d8d65660634d72b66f43d

SHA1
eb649e020d08a9f30729689b207aab1c0bde2b76

SHA256
f47fb228baeade65f5ab93f2dcdde729114103395fdd9cc23a56e8b2e8c53acf

SHA512
c922b359e6b55cb05b7bf36c1909b0e26f3fed92ea6fa37d1c0558d76a81dd3b182b155f65a3ee2865e0144a071cfe0286b9d91669e2b4ebd232f379f2963fe0

Download Submit