4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
Size

1.9MB
MD5

5c1018fd884545012bf0e89bb6d9b1c0
SHA1

9895e0c712405f22c86a3282adb444a17b881d98
SHA256

4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e
SHA512

1a9f3361db3e97e93b010cf5c03cfb0a2981f8ebc5e6cd024d7876a31d580e00424af783d74b1e5cbaeceba8b874e2e4154fcd8c4ca97dae557d604ab4926439
SSDEEP

49152:VTJG5jSps2zMraYnl2hmJuCxpukIDu/zYZz7yFG+iT0B8Jx5FXE:20s2Arpl5Puk4UwywT0WLXE

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\N:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\T:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\W:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\X:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\A:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\E:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\K:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\P:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\V:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\Y:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\B:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\G:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\I:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\M:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\O:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\Q:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\U:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\Z:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\J:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\L:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\R:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File opened (read-only)	\??\S:	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogFiles\Fax\Incoming\black kicking lesbian .zip.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian porn beast full movie fishy .mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\tyrkish cumshot horse several models .mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\SysWOW64\FxsTmp\sperm gang bang catfight black hairunshaved (Tatjana,Christine).rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\SysWOW64\IME\shared\beastiality blowjob girls titts lady .avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\SysWOW64\config\systemprofile\malaysia gang bang xxx girls 50+ .rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\asian handjob hot (!) wifey .zip.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\SysWOW64\IME\shared\lesbian masturbation .mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\System32\DriverStore\Temp\swedish lesbian action sleeping vagina .mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\SysWOW64\FxsTmp\cumshot trambling [milf] hairy (Sonja,Jenna).zip.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\german bukkake beast uncut .rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\gang bang girls swallow (Sonja,Sylvia).avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\brasilian bukkake hardcore uncut hole sweet (Janette).rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\beast beast girls .mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\action cumshot [milf] (Liz).rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Program Files\Common Files\Microsoft Shared\japanese blowjob big glans ash .avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Program Files\DVD Maker\Shared\black sperm nude masturbation 50+ (Melissa,Britney).mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\canadian hardcore gay masturbation glans sweet .rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\beastiality cum sleeping bedroom .avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\beastiality action voyeur glans (Sonja,Anniston).avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\asian nude cum [milf] cock .mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Program Files\Windows Journal\Templates\action horse catfight mature .mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Program Files (x86)\Google\Update\Download\german xxx licking shower .mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\gay cumshot voyeur hairy .zip.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\chinese fetish hot (!) .rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\mssrv.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\indian lesbian girls ash young .mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\french bukkake beastiality [bangbus] (Britney).rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\assembly\temp\american horse cumshot voyeur (Sylvia).mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\xxx horse hot (!) boots .rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\asian cumshot hardcore voyeur nipples pregnant .rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\american beast several models glans (Britney).mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\american gay beast hidden (Liz,Ashley).rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\indian cumshot gang bang sleeping feet YEâPSè& .rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\horse several models YEâPSè& .mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\asian blowjob nude uncut cock .zip.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\danish horse cumshot licking cock .avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\american nude fucking voyeur hole beautyfull .mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\german gang bang [free] femdom .avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\trambling girls boots (Liz).zip.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\black animal big .mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\malaysia animal animal [free] nipples shower .avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\russian hardcore public wifey .mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\canadian nude gang bang [free] wifey .mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\african beast horse public fishy (Kathrin,Kathrin).mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\spanish horse cum uncut shoes .mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\danish bukkake horse licking titts shower (Liz,Sonja).mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\hardcore big .mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\french xxx several models beautyfull (Melissa,Liz).mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\tyrkish handjob animal [free] penetration (Samantha).mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\SoftwareDistribution\Download\french cumshot catfight legs gorgeoushorny (Jenna).rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\blowjob full movie .mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\spanish action masturbation legs .avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\nude gay [free] .mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\lesbian hidden .mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\italian nude big sweet .zip.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\african beast voyeur vagina mistress .zip.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\fetish catfight nipples .zip.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\kicking blowjob [free] circumcision (Britney,Ashley).avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\danish hardcore beast full movie .avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\swedish kicking licking titts shoes .zip.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\italian nude porn public titts .rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\cum beastiality sleeping upskirt .avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\danish horse voyeur .rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\spanish hardcore big feet upskirt (Samantha,Kathrin).rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\trambling lesbian sleeping cock high heels (Ashley,Jade).rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\african gay [free] (Sonja).rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\american bukkake cum uncut .zip.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\lingerie porn catfight leather .rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\japanese gay lesbian 40+ .mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\russian horse uncut granny (Sarah,Gina).mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\italian gay lesbian girls glans 40+ .avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\malaysia kicking catfight castration .avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\fucking fetish big mistress .rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\african nude horse lesbian .mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\russian fetish hidden .avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\french action animal masturbation .rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\animal hot (!) .zip.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\lingerie masturbation vagina shoes .mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\gang bang lesbian uncut cock mistress .zip.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\canadian action action public black hairunshaved .mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\russian kicking gay [bangbus] pregnant (Sonja,Kathrin).rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\black porn action licking ash ash (Jenna,Janette).mpeg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\danish cum beastiality masturbation (Karin).rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\porn masturbation redhair .avi.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\canadian gang bang porn hidden boobs .mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\indian xxx licking ash circumcision (Christine).rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\sperm gang bang masturbation ash .mpg.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\brasilian gang bang hidden (Karin,Gina).rar.exe	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
2620	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2960	2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe	30
PID 2344 wrote to memory of 2960	2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe	30
PID 2344 wrote to memory of 2960	2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe	30
PID 2344 wrote to memory of 2960	2344	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe	30
PID 2960 wrote to memory of 2620	2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe	31
PID 2960 wrote to memory of 2620	2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe	31
PID 2960 wrote to memory of 2620	2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe	31
PID 2960 wrote to memory of 2620	2960	4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe	31

C:\Users\Admin\AppData\Local\Temp\4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
"C:\Users\Admin\AppData\Local\Temp\4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
  "C:\Users\Admin\AppData\Local\Temp\4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe
    "C:\Users\Admin\AppData\Local\Temp\4454e9365eaaa9e8ed865a83b3abc6c95683b965fa6f970e8c4e44e1a0e2496e.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\canadian hardcore gay masturbation glans sweet .rar.exe

Filesize
1.3MB

MD5
d649053cb3a3749fc9ee3ad86d9de726

SHA1
0f1346395203199581f9a5accfaf7f9065bb9197

SHA256
931f7e1c2de515d02b5ffafd6284d4a530e9fbb423028c1d2cfaa7523742bfe9

SHA512
c35e6c4b312a0e318738801e66ae965edf1604526b25bc804642da9a9dfb0513fe68b704156434b7a593906f7bade25c33288d869ba7d9ad12951205083d6232

Download Submit
C:\debug.txt

Filesize
183B

MD5
fef5ec58a03ae57b4a59235be3aabccc

SHA1
17f4958aee632f77a6ff2af9e894f35ae0b67673

SHA256
8a1cbc56f11416c0c3dc18e9a19b329fa93986890db9483a5bfadab19837aa68

SHA512
2201b1b2a2aca4582cc07b4b32d78e752a339b4e21565115031a8e556dc19681cd9a3ace25c799379f5da009ad52f62eb27cad8e703579b8fba34d601c2c0dd1

Download Submit