524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
07/07/2024, 22:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
Size

281KB
MD5

8738913ee8d30e41fb9d2d7ea40f0e88
SHA1

153e77b0b66f38bbbfdaf2580e7975f0bf9bdf65
SHA256

524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977
SHA512

b7d573c1c22dc41aa3d01158b7961de753eb1d90e222901d3f5696e21639362462e13505d24fac7118e673ca490a868658b030f05676236dcf1c5f8166767dad
SSDEEP

6144:A//ICMmDRxs3NBRfFuOtsgEqRdFB9xuzfpx2rO:A//vi9B1tbEGzVsxb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\X:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\R:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\N:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\Q:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\T:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\V:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\Y:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\L:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\G:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\H:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\J:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\M:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\O:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\U:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\Z:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\B:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\E:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\I:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\K:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\P:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\W:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File opened (read-only)	\??\A:	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\bukkake several models hole .mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\SysWOW64\FxsTmp\american gang bang hardcore lesbian (Janette).mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\SysWOW64\config\systemprofile\fucking [milf] hole balls (Jade).mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\beast [bangbus] feet 40+ .mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\System32\DriverStore\Temp\bukkake [bangbus] bedroom .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\SysWOW64\FxsTmp\blowjob [milf] (Liz).rar.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\SysWOW64\IME\shared\black gang bang lesbian hot (!) hole .rar.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\fucking sleeping glans .mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\SysWOW64\config\systemprofile\tyrkish cum blowjob several models hole traffic (Jade).mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\SysWOW64\IME\shared\tyrkish porn gay [free] balls .mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Download\swedish cum gay voyeur (Janette).avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\russian handjob bukkake big girly .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\brasilian animal sperm public hole 40+ .mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\lingerie masturbation feet bondage (Janette).mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\indian nude blowjob [milf] (Jade).mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\indian animal blowjob masturbation latex (Sonja,Sarah).mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Program Files (x86)\Google\Temp\danish cumshot blowjob hot (!) ìï .mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\japanese kicking blowjob full movie feet granny .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\lingerie lesbian wifey .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Program Files\Common Files\Microsoft Shared\bukkake [bangbus] titts lady .mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Program Files\Windows Journal\Templates\blowjob [free] glans .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\blowjob full movie .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Program Files\DVD Maker\Shared\blowjob [bangbus] hotel .rar.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\lingerie masturbation shower .mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\danish animal sperm sleeping 50+ .zip.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\fucking voyeur ìï .mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\norwegian trambling [milf] feet .rar.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\canadian bukkake [free] bedroom .mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\lingerie lesbian hairy .rar.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\american kicking gay several models sm .mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\Downloaded Program Files\fucking [milf] bedroom (Ashley,Sarah).rar.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\PLA\Templates\sperm big glans castration .mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\action trambling full movie cock granny (Melissa).mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\norwegian lingerie licking traffic (Gina,Sarah).avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\kicking trambling catfight pregnant .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\beastiality hardcore hidden YEâPSè& .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\french gay [bangbus] YEâPSè& .mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\horse xxx masturbation ash (Ashley,Jade).avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\cum xxx uncut .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\chinese sperm uncut mistress .mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\danish action fucking uncut latex .zip.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\indian animal blowjob catfight cock fishy (Sylvia).avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\xxx hidden cock mistress .zip.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\russian kicking bukkake voyeur glans traffic (Sylvia).mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\spanish xxx girls glans pregnant .mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\horse voyeur leather .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\cum bukkake full movie mature .mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\asian fucking sleeping wifey .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\bukkake [bangbus] titts granny .zip.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\swedish porn lesbian several models glans .mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\american cum fucking uncut .rar.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\russian porn sperm [bangbus] fishy .zip.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\russian animal bukkake uncut feet .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\sperm full movie .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\german lingerie hot (!) swallow .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\canadian horse hot (!) granny .zip.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\indian action fucking masturbation hole young .rar.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\brasilian action blowjob uncut .zip.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\tyrkish porn xxx big titts .rar.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\porn lingerie hidden titts (Sonja,Curtney).mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\norwegian blowjob full movie (Samantha).avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\black horse trambling hidden gorgeoushorny .mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\cum lesbian hidden .mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\japanese beastiality fucking uncut blondie .mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\InstallTemp\malaysia xxx big bedroom .zip.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\african gay [bangbus] cock .mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\italian cum trambling hidden (Liz).mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\tyrkish animal xxx [bangbus] blondie .zip.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\japanese gang bang beast masturbation glans .zip.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\bukkake masturbation titts upskirt (Tatjana).zip.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\lingerie full movie titts beautyfull .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\blowjob full movie cock lady .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\canadian xxx big hole .zip.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\canadian hardcore voyeur shower .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\norwegian lesbian hot (!) .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\tyrkish horse blowjob hot (!) (Curtney).zip.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\brasilian beastiality lesbian lesbian pregnant .mpg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\brasilian gang bang bukkake hidden .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\chinese xxx several models cock .rar.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\sperm [milf] .rar.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\fucking [free] swallow .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\sperm hidden hole blondie (Karin).rar.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\german bukkake lesbian hairy .mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish animal fucking big feet swallow (Melissa).zip.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\spanish horse masturbation blondie .avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\lingerie catfight .mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\french sperm hidden cock boots (Curtney).avi.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\russian gang bang blowjob [milf] feet femdom .mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\chinese beast [free] femdom (Britney,Curtney).mpeg.exe	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
2144	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2084	2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe	30
PID 2780 wrote to memory of 2084	2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe	30
PID 2780 wrote to memory of 2084	2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe	30
PID 2780 wrote to memory of 2084	2780	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe	30
PID 2084 wrote to memory of 2144	2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe	31
PID 2084 wrote to memory of 2144	2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe	31
PID 2084 wrote to memory of 2144	2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe	31
PID 2084 wrote to memory of 2144	2084	524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe	31

C:\Users\Admin\AppData\Local\Temp\524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
"C:\Users\Admin\AppData\Local\Temp\524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
  "C:\Users\Admin\AppData\Local\Temp\524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe
    "C:\Users\Admin\AppData\Local\Temp\524316d151313fc6b0c0bd4ced5abd46465cce60c9241efbc63d1f347ba2a977.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\lingerie masturbation feet bondage (Janette).mpg.exe

Filesize
1.7MB

MD5
921f3b8abe648427911574f0c11b8575

SHA1
e9b5e46f9daa7921a058b2899ab62813576b1207

SHA256
0449febcc45e9baef1dfe5e16526c7a8486f9491cc54de71384350b98040093e

SHA512
1ff898b764887586cfee56c92ed460a79674e4991ca586e002538674cba3549e850d082daf788fefef2b6beb8f61316d6d6bba1b49ca0d7e39a733899772ceab

Download Submit
C:\debug.txt

Filesize
183B

MD5
ae9e5c8834951ae42cf13ba96119f964

SHA1
0c6a30dc41ba050dacb062f11220ef1ca59b3d75

SHA256
10d45a25ca8ee9f0692139cdf5df19e4fc6a8a59db626d170052ea5d875b6806

SHA512
c891170868663c753c036dd70dc326bc7c6ccb6b8f75229d63fccc57cb114571757da2550f246d39815d7d7704502c68f1ac2b80dca534a55e5083bf2edb3789

Download Submit