20d01f15845ea81efc5ac21b7e2f14cc0d5d85510d8a866bf6ab3e98caf5cfde

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46fb2f80361d9ee598f6a33d5dcc4ac0.exe
Size

1.0MB
MD5

46fb2f80361d9ee598f6a33d5dcc4ac0
SHA1

037a6eb7ce54aa3b0ab827ba54378cb2d8156cd1
SHA256

20d01f15845ea81efc5ac21b7e2f14cc0d5d85510d8a866bf6ab3e98caf5cfde
SHA512

fbc1b1c2a65a4359cdce9f0270b2e7e1e81b3acf5cc93b785efd040fe5f8d3ccf659bdf788cab87788c5d7121d03aa56c434373e6c66701c06f0a69919f1c120
SSDEEP

24576:oWCU12Y/QF22fEw/t8JS3rzVN3MxGd+t8CkIb+wDxviSOGwjfF4jg9sPm:V7h/h2fE4t8I3rMxGukXwYGqfF4jZPm

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	46fb2f80361d9ee598f6a33d5dcc4ac0.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\S:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\B:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\I:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\J:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\L:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\M:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\U:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\W:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\E:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\G:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\H:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\K:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\P:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\T:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\X:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\Z:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\A:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\N:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\Q:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\R:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\V:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File opened (read-only)	\??\Y:	46fb2f80361d9ee598f6a33d5dcc4ac0.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\shared\bukkake masturbation glans balls (Samantha).mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\tyrkish animal beast catfight (Tatjana).avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\bukkake hidden glans traffic .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\IME\shared\brasilian gang bang sperm several models cock penetration (Liz).mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\lingerie hidden (Janette).rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\FxsTmp\bukkake several models beautyfull (Ashley,Karin).mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\System32\DriverStore\Temp\bukkake [free] (Curtney).avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\FxsTmp\african xxx sleeping castration .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\horse voyeur cock .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\gay voyeur .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\hardcore public fishy (Sonja,Karin).zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\italian cum beast catfight cock balls (Janette).avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Google\Update\Download\sperm several models glans sweet .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\indian cumshot blowjob uncut shower .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\italian kicking fucking several models penetration (Christine,Janette).mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\indian horse lingerie [free] balls .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files\DVD Maker\Shared\lingerie big cock (Britney,Samantha).zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\blowjob [milf] cock stockings .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\blowjob voyeur glans 50+ .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\japanese animal gay hot (!) sweet .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\hardcore hidden bondage .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files\Windows Journal\Templates\brasilian cum lingerie masturbation hole .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\trambling catfight circumcision .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\lingerie voyeur (Tatjana).mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\black cum trambling catfight blondie .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian nude xxx [free] (Karin).avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\black cum gay sleeping .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\german trambling public leather .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\chinese bukkake [bangbus] balls .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\gang bang blowjob several models hole girly .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\danish handjob trambling [bangbus] shoes .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\italian beastiality sperm sleeping cock sweet (Tatjana).mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\indian kicking beast masturbation castration .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\chinese hardcore several models (Sarah).zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\beast licking feet .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\russian handjob gay several models glans blondie .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\norwegian bukkake full movie gorgeoushorny .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\beast sleeping cock leather .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\indian beastiality trambling several models (Tatjana).avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\animal sperm [free] cock .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\nude bukkake licking glans .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\chinese sperm catfight .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\spanish fucking licking ejaculation .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\italian action horse public cock ejaculation (Samantha).mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\mssrv.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\bukkake full movie titts hotel .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\cum lesbian sleeping ejaculation .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\porn sperm sleeping shoes .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\blowjob uncut hole hairy .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\norwegian trambling masturbation cock .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\canadian trambling catfight shower .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\swedish horse gay big titts granny (Tatjana).avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\canadian gay several models penetration .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\italian porn blowjob [milf] 50+ .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian kicking lesbian licking .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\cum trambling full movie cock upskirt (Karin).mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\african hardcore masturbation (Jade).rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\beast hidden gorgeoushorny .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\black beastiality trambling hot (!) leather .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\japanese porn hardcore several models circumcision .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\japanese action lingerie uncut fishy .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\xxx lesbian titts .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\SoftwareDistribution\Download\hardcore [bangbus] mistress .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\lingerie voyeur fishy (Gina,Tatjana).zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\danish nude beast [bangbus] sm .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\british xxx voyeur 50+ .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\american cum blowjob public gorgeoushorny .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\beast hot (!) hole black hairunshaved (Sarah).rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\black action xxx lesbian Ôë .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\PLA\Templates\italian fetish sperm uncut (Liz).zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\canadian blowjob [free] shower .mpeg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\brasilian kicking horse big .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\french sperm uncut feet .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\Temp\blowjob hot (!) .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\american kicking gay catfight granny .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\beastiality hardcore several models .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\american horse fucking licking .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\german fucking masturbation cock latex .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\swedish porn bukkake full movie ash .rar.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\blowjob sleeping titts .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\danish horse horse uncut (Melissa).mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\danish porn lesbian [free] titts young .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\italian cumshot bukkake several models ejaculation .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\horse horse [bangbus] .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\assembly\temp\fucking lesbian bondage .avi.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\french xxx licking girly .mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\animal lingerie hot (!) cock high heels (Sylvia).mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\assembly\tmp\bukkake full movie (Sarah).mpg.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\blowjob voyeur bondage .zip.exe	46fb2f80361d9ee598f6a33d5dcc4ac0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe
1560	46fb2f80361d9ee598f6a33d5dcc4ac0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2484	2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	28
PID 2872 wrote to memory of 2484	2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	28
PID 2872 wrote to memory of 2484	2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	28
PID 2872 wrote to memory of 2484	2872	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	28
PID 2484 wrote to memory of 1560	2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	29
PID 2484 wrote to memory of 1560	2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	29
PID 2484 wrote to memory of 1560	2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	29
PID 2484 wrote to memory of 1560	2484	46fb2f80361d9ee598f6a33d5dcc4ac0.exe	29

C:\Users\Admin\AppData\Local\Temp\46fb2f80361d9ee598f6a33d5dcc4ac0.exe
"C:\Users\Admin\AppData\Local\Temp\46fb2f80361d9ee598f6a33d5dcc4ac0.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\46fb2f80361d9ee598f6a33d5dcc4ac0.exe
  "C:\Users\Admin\AppData\Local\Temp\46fb2f80361d9ee598f6a33d5dcc4ac0.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Users\Admin\AppData\Local\Temp\46fb2f80361d9ee598f6a33d5dcc4ac0.exe
    "C:\Users\Admin\AppData\Local\Temp\46fb2f80361d9ee598f6a33d5dcc4ac0.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\blowjob [milf] cock stockings .rar.exe

Filesize
838KB

MD5
1c886e9d9b2490442c24ecf14343e3a4

SHA1
41a80de61a30a83723c85f9c49d31255e2dd6447

SHA256
f636d8eddfad4e7fe237bb850c0c15a2707e2ae53a2b204728b4dbb7b60ffa2f

SHA512
ebba7b5917316939f32ca5124e2ffffa5d52ed27d12409687f7b2f7833fc552c64a5f0350172b32bfb5250e1bfbce359849fae43dcaa562ba1c2c3e388d80b0b

Download Submit
C:\debug.txt

Filesize
183B

MD5
f9a02c33e2062e8c0691636583848a76

SHA1
137c429c5ee86a1d1009e7ef0bc3e7c75aaac4af

SHA256
0c6dd3259f687cf406aced454fade523656de2c9384baa6c0fab9e51551c2271

SHA512
a1c58ed4ad99afef2b7f810267f985c83f90f11650b60bedb2794ab15783cb234235fe790a6d89ce4dbc3c77b5643bdd7380b168ca213a0d117b0282db407e87

Download Submit