01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
Size

1.4MB
MD5

709e5020a62a0c49618f053bcd67762a
SHA1

fd3fc4103eb2a68764120eb53724391b59a4bb54
SHA256

01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946
SHA512

bfd98bb8cce91fc627923005bc07582322acd5d21d2937adb2ca09feec56596b15a813ee078f87b9994b756dbb270ea15ee42a42af898b847680c5c8f8502992
SSDEEP

24576:2w7Ub5kRkZc/EX7LfpW9ihVMOyyhtj5Ip40l997qgolQdyq1cWm:h4VwktHpbvMOyyr9Ip40l99lwQ91cH

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\M:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\Y:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\G:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\H:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\I:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\S:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\B:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\J:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\L:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\O:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\P:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\Q:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\T:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\V:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\E:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\W:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\N:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\R:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\U:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\X:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\Z:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File opened (read-only)	\??\A:	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogFiles\Fax\Incoming\japanese trambling cumshot girls mature (Liz,Curtney).rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\SysWOW64\config\systemprofile\porn porn public lady .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\SysWOW64\FxsTmp\danish trambling girls glans .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\SysWOW64\IME\shared\trambling horse public bondage .rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian cum fetish girls redhair .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\SysWOW64\FxsTmp\american gay hidden .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\SysWOW64\IME\shared\danish animal porn [free] upskirt .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\lingerie voyeur ash (Sonja,Jenna).rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\SysWOW64\config\systemprofile\chinese porn fetish several models boots .avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\System32\DriverStore\Temp\danish bukkake bukkake hidden 50+ .mpg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\cumshot horse hidden .rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Program Files\Common Files\Microsoft Shared\italian bukkake gang bang hot (!) .mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\tyrkish bukkake licking shower .mpg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\russian kicking hardcore big traffic .rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\danish fetish hidden balls .rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\blowjob hot (!) .mpg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Program Files (x86)\Google\Temp\black kicking gang bang [free] girly .mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Program Files (x86)\Google\Update\Download\cumshot gay masturbation (Anniston,Gina).rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\handjob [milf] (Janette,Jenna).zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\bukkake sperm several models .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Program Files\Windows Journal\Templates\hardcore horse masturbation .avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\canadian fetish gang bang full movie upskirt .avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\italian bukkake blowjob [free] .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\brasilian gang bang big titts .mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Program Files\DVD Maker\Shared\chinese gang bang sleeping boobs ejaculation .avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\horse cumshot several models titts .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\american hardcore catfight .rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\african nude licking glans hotel .avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\american gang bang animal voyeur cock bedroom (Kathrin).zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\trambling full movie hole balls .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\black lingerie [bangbus] traffic .mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\asian trambling kicking [bangbus] feet bondage .mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\asian cum bukkake hot (!) (Sandy,Sarah).mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\black sperm fucking hidden leather (Melissa).avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\hardcore fucking [milf] penetration .mpg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\italian gang bang lesbian shoes .mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\swedish action uncut shower .avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\Temp\british gang bang several models glans sm .avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\german bukkake lesbian stockings .mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\canadian xxx action hot (!) shoes .mpg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\lesbian cumshot lesbian beautyfull .rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\norwegian action voyeur sm .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\japanese beast several models .mpg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\nude big .mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\fucking xxx girls young (Sarah,Sonja).rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\german beast blowjob big sweet .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\norwegian gang bang catfight circumcision .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\fetish full movie circumcision .avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\cum horse voyeur legs (Kathrin).mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\PLA\Templates\swedish lesbian kicking big femdom .rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\horse sleeping granny (Melissa).mpg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\asian horse sleeping glans wifey (Jenna).rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\assembly\temp\trambling xxx hot (!) feet traffic .mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\assembly\tmp\horse beastiality hot (!) latex .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\SoftwareDistribution\Download\fucking several models ejaculation .avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\canadian gay big titts .mpg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\kicking [free] granny .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\sperm action catfight glans .avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\brasilian cum [milf] sweet .mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\french lingerie [bangbus] glans .rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\indian fucking voyeur traffic .mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\animal voyeur (Jade).mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\asian horse uncut glans young (Tatjana).avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\chinese blowjob voyeur latex (Sonja,Janette).avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\hardcore cumshot girls upskirt (Gina).mpg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\french nude voyeur .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\japanese fetish lingerie hidden sweet (Janette).mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\cum big .mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\beast fucking voyeur hole swallow .rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\security\templates\porn cum uncut .mpg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\japanese cum sperm [milf] .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\bukkake lingerie several models cock ash .mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\indian trambling masturbation (Sylvia,Sonja).avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\asian nude gay voyeur .rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\swedish fucking nude big mature (Melissa,Curtney).avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\animal voyeur .mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\canadian lesbian gang bang licking (Kathrin).mpeg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\hardcore xxx public .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\horse licking titts upskirt .mpg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\bukkake hot (!) .rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\russian hardcore several models bondage (Karin,Karin).avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\lesbian voyeur vagina high heels .mpg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\malaysia horse voyeur feet (Kathrin,Jade).rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\porn action lesbian young (Sandy).zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\danish lingerie lesbian granny .avi.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\african cumshot several models legs .zip.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\blowjob bukkake licking .rar.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\mssrv.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\french cumshot masturbation (Tatjana,Ashley).mpg.exe	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
2672	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2836	2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe	30
PID 2416 wrote to memory of 2836	2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe	30
PID 2416 wrote to memory of 2836	2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe	30
PID 2416 wrote to memory of 2836	2416	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe	30
PID 2836 wrote to memory of 2672	2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe	31
PID 2836 wrote to memory of 2672	2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe	31
PID 2836 wrote to memory of 2672	2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe	31
PID 2836 wrote to memory of 2672	2836	01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe	31

C:\Users\Admin\AppData\Local\Temp\01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
"C:\Users\Admin\AppData\Local\Temp\01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Users\Admin\AppData\Local\Temp\01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
  "C:\Users\Admin\AppData\Local\Temp\01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe
    "C:\Users\Admin\AppData\Local\Temp\01062822b4b85ad85e87e215553400e4f620bf6ae81b65c94eb98f3c85330946.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\blowjob hot (!) .mpg.exe

Filesize
1.9MB

MD5
f5e9123fab727aaca2316890a25fa75f

SHA1
da848dd24bbdf7f38676485ab4788fa837e4b4ae

SHA256
4205c94b369ed58f075d43b67ae9924178298e3dc004483c179b3d997be17124

SHA512
d49c77c85dfa54aaac4f419a7726a41c8954f81221c5184ef9399b51c3e312bb58e514354aa9dcfabb5c5472b5ba2fbb752c594d76255997c5da526db7679b79

Download Submit
C:\debug.txt

Filesize
183B

MD5
aa1b34921ab7d8b5ed820c32ed67bde1

SHA1
64f10bd069617682ad710b9ffc8b1dd3bdfea736

SHA256
2ffd5f15d7df48490e542094e4729d2b7412f69d025c01e44d48b21cb92f3549

SHA512
fffc83b0ee2498b135794c4f8337ae1e327b4147f8869f10527d6b5762313bfa198f7c7044627be0da4b07be20d6cbe46e1e55a26fb4e88e044ca8222b35a9e3

Download Submit