305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
Size

371KB
MD5

7fd21bcc965d2e1dd43e5950c343bd21
SHA1

bc8e77818da7c3feacdd1144e7080f4c63ba4f86
SHA256

305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3
SHA512

5ef7d2da6e4c02e0e8ecdd634b1464352d3f6bbaad2ce4d23417aec324a291601671254e84b35dab604f471cc2004d554d4dc27c86e1cd047e3c4b61adbbf56f
SSDEEP

6144:A//ICMmDRxs3NBRzQICu/ScU6CKnlWlCeRW1o0HYGMwMFdRSVNYAoLPtEmT0k1Nt:A//vi9BUiS1Zu1tYqMHRg6NPtEtXQ

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\E:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\K:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\N:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\Q:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\W:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\R:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\S:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\V:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\X:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\U:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\Y:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\B:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\G:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\H:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\I:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\M:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\O:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\J:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\L:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\P:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\T:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File opened (read-only)	\??\Z:	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\spanish horse gay masturbation hotel (Sandy,Gina).rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\System32\DriverStore\Temp\canadian gay sleeping bedroom .mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\SysWOW64\FxsTmp\spanish cumshot [free] .mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\SysWOW64\IME\shared\chinese gang bang beastiality public redhair .mpg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\beastiality [bangbus] black hairunshaved .zip.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\SysWOW64\config\systemprofile\indian xxx [bangbus] cock .mpg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\spanish trambling masturbation .mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\SysWOW64\config\systemprofile\trambling porn public hole ash .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\british animal horse public .zip.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\SysWOW64\IME\shared\chinese cumshot [milf] sweet .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\Templates\japanese porn sperm several models mature .rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\chinese xxx hardcore public vagina granny (Sonja,Christine).rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Program Files\Common Files\Microsoft Shared\sperm hot (!) blondie (Karin,Sonja).rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\horse uncut femdom (Britney).mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Program Files (x86)\Google\Temp\action [free] cock beautyfull .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\tyrkish blowjob sleeping (Britney).mpg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\beast catfight glans pregnant .zip.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\tyrkish horse sleeping granny .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\beastiality porn [milf] beautyfull .rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\italian xxx horse [milf] latex .zip.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Program Files\DVD Maker\Shared\tyrkish beast voyeur ash bondage (Jenna,Janette).rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\malaysia trambling handjob hot (!) .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Program Files (x86)\Google\Update\Download\bukkake uncut (Jenna).avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\gang bang fetish public nipples (Sandy,Sarah).mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\action hidden shower .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\blowjob action hot (!) .rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\african kicking [free] .mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\cumshot girls cock (Sarah,Curtney).zip.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\lesbian hidden stockings .mpg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\beastiality lesbian licking black hairunshaved .zip.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\PLA\Templates\sperm hidden shoes (Sandy).mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\japanese bukkake beast catfight granny (Melissa,Sarah).mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\cumshot big (Curtney,Melissa).avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\american lingerie girls vagina upskirt (Liz).mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\animal trambling sleeping .rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\norwegian bukkake gang bang girls bondage (Sarah).zip.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\french sperm hardcore [bangbus] ìï (Sylvia).mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\indian handjob full movie blondie (Sarah,Jenna).avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\british fucking [free] circumcision .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\malaysia porn blowjob uncut boots (Christine).avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\black trambling several models (Sonja,Christine).mpg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\american xxx hidden traffic .mpg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\african trambling fetish [free] .mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\canadian cum voyeur young (Gina,Kathrin).rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\tyrkish fucking sleeping cock high heels .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\nude hidden .rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\swedish action [bangbus] latex .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\indian nude lesbian several models .rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\malaysia horse blowjob uncut (Kathrin,Liz).avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\british porn trambling uncut hotel .rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\japanese nude bukkake sleeping fishy .rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\bukkake lingerie several models .mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\gay beastiality catfight circumcision .zip.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\asian lingerie action public hotel (Sylvia,Christine).rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\italian animal lesbian hidden ash .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\malaysia cumshot hot (!) ìï .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\french handjob masturbation ash .zip.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\nude several models balls (Jade).rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\chinese gang bang gang bang masturbation feet (Samantha).mpg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\nude action [milf] vagina 50+ .zip.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\gay [free] (Karin,Curtney).zip.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\InstallTemp\french porn voyeur .mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\british nude trambling masturbation femdom (Kathrin).mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian lingerie girls cock (Britney,Anniston).rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\norwegian sperm blowjob hot (!) .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\asian beastiality girls girly .zip.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\Temp\gay licking (Karin).mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\sperm porn hot (!) vagina castration .mpg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\assembly\temp\russian beastiality beast lesbian YEâPSè& .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\nude several models ash upskirt (Sonja,Anniston).mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\gay beast sleeping .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\african porn girls .mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\porn masturbation nipples .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\danish cumshot hardcore public fishy .avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\malaysia horse full movie (Gina,Sylvia).avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\indian action girls 50+ .mpg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\french sperm masturbation cock swallow .zip.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\chinese hardcore beastiality hidden penetration (Sylvia).rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\trambling handjob [free] swallow .zip.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\brasilian action full movie gorgeoushorny .mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\chinese action hardcore sleeping young (Sandy,Christine).avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\french blowjob lesbian traffic (Sarah).rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\gay big bondage .mpg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\malaysia horse kicking [milf] shower (Janette,Britney).rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\fucking trambling big circumcision (Britney).avi.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\Downloaded Program Files\fucking cumshot masturbation .mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\horse hardcore [milf] shower .rar.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\tyrkish nude animal licking swallow .mpg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\african action [free] .mpeg.exe	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
1864	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2480	824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe	30
PID 824 wrote to memory of 2480	824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe	30
PID 824 wrote to memory of 2480	824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe	30
PID 824 wrote to memory of 2480	824	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe	30
PID 2480 wrote to memory of 1864	2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe	31
PID 2480 wrote to memory of 1864	2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe	31
PID 2480 wrote to memory of 1864	2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe	31
PID 2480 wrote to memory of 1864	2480	305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe	31

C:\Users\Admin\AppData\Local\Temp\305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
"C:\Users\Admin\AppData\Local\Temp\305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824
- C:\Users\Admin\AppData\Local\Temp\305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
  "C:\Users\Admin\AppData\Local\Temp\305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe
    "C:\Users\Admin\AppData\Local\Temp\305ab7921cdbadcbe338640c1cce32827f2652d897a630066947f606b815fcd3.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\tyrkish horse sleeping granny .avi.exe

Filesize
1.1MB

MD5
9368233dca488ec1950e1ff051dadcf7

SHA1
6683e04c9e866f41b282fa3248d5820cce3b63b9

SHA256
3fa86278ed9bccc80f7bde8c5fd87881c5531fd892c3fdd7aa809224466f2272

SHA512
4a081568a033b0e625abd8ae322c06216d4c688fa50aa57c580c63404e9f544e928b786268a6f881a2ea6097d7c20cbf6d287701727c53f4c74ab219d022d321

Download Submit
C:\debug.txt

Filesize
183B

MD5
591bfa1d964480c0401e68422626b72e

SHA1
e8275d54d331061cd218ce5a52d294e3283be511

SHA256
ec26d09262edc12b3fd7b44ad225e5eb9ae533c1c15c7714dbd528ea8522bab6

SHA512
d4104ee77b82490b487c5e6e13bd2bb399ba05611fa7fb7beb314cfa1282d797626e986f7dda36fe600246444bc8a2c13facf3e2f10ac841ff15b23731f9fd69

Download Submit