8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
Size

901KB
MD5

36e6f1987dafb002b19404c9508c6a3a
SHA1

d84face4a94cf065d319c3b2339931bc2c678e53
SHA256

8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77
SHA512

6ace91d5a5f9e67acea49a52634456842139174ae49cdaa1a1867c18dc0dc73658a54b14b5d8935462bc4f199609b9c2eb273f8fc7b7ea4c34d119e24286f771
SSDEEP

12288:JXCNi9B0DfNFHvV0lJUAhUmuW9U2UwMT/XB9lawaY7w8G+wLpyoF3vMFO/zdXxM4:sWanPKlrhUOaTZLf7w8G+syoF9ERe

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\S:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\T:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\K:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\L:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\P:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\W:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\A:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\G:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\I:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\O:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\Q:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\X:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\Y:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\B:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\H:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\M:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\U:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\V:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\Z:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\E:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\J:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File opened (read-only)	\??\N:	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\fetish gay catfight .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\FxsTmp\african beastiality hot (!) legs traffic .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\IME\shared\swedish horse sperm girls .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\action voyeur (Sonja).mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\config\systemprofile\nude licking shower (Samantha,Samantha).rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\FxsTmp\fetish several models mistress .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\config\systemprofile\fucking lesbian catfight .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\System32\DriverStore\Temp\fetish lesbian vagina .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\nude girls redhair (Melissa).avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SysWOW64\IME\shared\african action girls .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\Templates\canadian trambling nude masturbation wifey (Kathrin,Curtney).rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Google\Update\Download\norwegian gang bang lesbian girls bondage .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\norwegian blowjob horse uncut .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files\Common Files\Microsoft Shared\chinese hardcore beastiality licking traffic (Kathrin).rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\african action hot (!) hole ¼ç (Curtney,Sylvia).mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\tyrkish lingerie hot (!) swallow .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\african action kicking sleeping titts .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\russian sperm girls nipples upskirt (Melissa).mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\british cum public ash ¤ã .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Google\Temp\spanish nude lesbian ejaculation .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\cumshot kicking masturbation .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\chinese beastiality horse licking (Liz).mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files\DVD Maker\Shared\british horse [milf] boobs balls .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\sperm animal big latex .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\italian action hidden hairy .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\british hardcore fetish masturbation YEâPSè& .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\Downloaded Program Files\african horse [free] hotel .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\security\templates\russian fetish xxx full movie (Ashley).avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\italian blowjob sleeping feet black hairunshaved (Tatjana,Samantha).zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\bukkake bukkake uncut leather .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\danish xxx several models traffic .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\cum gang bang voyeur fishy (Samantha).mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\assembly\temp\hardcore voyeur .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\nude lesbian masturbation .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\cumshot [free] vagina .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\african handjob gay lesbian cock redhair .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\fucking voyeur lady (Kathrin,Tatjana).rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\black lingerie hidden high heels .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\russian gay sleeping feet penetration .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\indian action [milf] .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\brasilian trambling hidden vagina shoes (Jenna).avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\kicking gang bang voyeur .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\hardcore uncut boobs (Anniston,Sonja).avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\animal sperm voyeur hole mature .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\swedish lesbian fetish [bangbus] titts circumcision .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\german action beastiality masturbation swallow .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\beastiality sleeping .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\horse [milf] .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\indian bukkake bukkake several models vagina .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\french fucking cumshot hot (!) mistress .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\british nude cumshot licking (Gina,Christine).rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\blowjob lesbian feet bedroom .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\lesbian hot (!) .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\norwegian blowjob catfight blondie (Karin).zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\porn lesbian blondie .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\PLA\Templates\horse cumshot catfight 40+ .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\horse gay catfight .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\brasilian nude blowjob uncut (Tatjana,Sarah).rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\beast lingerie [bangbus] .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\kicking trambling catfight .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\lesbian [bangbus] castration (Gina).mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\fetish sleeping fishy .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\canadian horse cum catfight (Samantha).avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\american kicking blowjob big hole leather .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\indian cum uncut .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\horse gay [free] glans .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\malaysia beastiality uncut lady .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\swedish action big legs ¤ã .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\bukkake public legs circumcision (Melissa).avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\asian beast nude licking leather .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\african horse hot (!) vagina shoes .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\horse hidden black hairunshaved .mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\fucking girls .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\norwegian porn lesbian [bangbus] penetration .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\xxx lesbian glans .avi.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\black action girls .rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\canadian nude kicking several models (Tatjana,Jenna).zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\hardcore licking titts (Gina,Tatjana).rar.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\hardcore xxx lesbian castration (Melissa,Christine).mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\porn hot (!) (Sandy,Christine).zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\horse sperm big hairy .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\russian lesbian [free] hole (Sandy).mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\kicking lesbian hot (!) (Sandy,Christine).mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\british xxx nude full movie wifey .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\assembly\tmp\porn hidden sm (Sarah,Samantha).mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\tyrkish sperm hot (!) penetration .mpg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\italian handjob [free] .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\lingerie nude voyeur .zip.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
File created	C:\Windows\SoftwareDistribution\Download\cumshot hidden shoes (Jade,Janette).mpeg.exe	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
856	3056	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
2652	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2140	3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	30
PID 3056 wrote to memory of 2140	3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	30
PID 3056 wrote to memory of 2140	3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	30
PID 3056 wrote to memory of 2140	3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	30
PID 2140 wrote to memory of 2652	2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	31
PID 2140 wrote to memory of 2652	2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	31
PID 2140 wrote to memory of 2652	2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	31
PID 2140 wrote to memory of 2652	2140	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	31
PID 3056 wrote to memory of 856	3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	32
PID 3056 wrote to memory of 856	3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	32
PID 3056 wrote to memory of 856	3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	32
PID 3056 wrote to memory of 856	3056	8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe	32

C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
"C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
  "C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe
    "C:\Users\Admin\AppData\Local\Temp\8b2b4d2738485721ca9cb437c488e55e1b654a0b4e769cc8f7f590c3ee511b77.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 376
  2⤵
  - Program crash
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\sperm animal big latex .mpeg.exe

Filesize
1.1MB

MD5
9dc510fcb7d1e58bb0f8d259c99cfbfa

SHA1
71cbc31d04d295c87b38df46c090f6bb2e93ad0c

SHA256
ad79468dd8c32ce8a18c44f8eb1034ad55a1f100c2d348aa7581b1c49b3a9acd

SHA512
2e816dd402bee62336bceec1b8102550ab1dfe5ecf62f4b419ec297fd8239bace812e4f251d3974283d27d93bb3ca44bd67ea0704ce8092b52fb54aec5e00355

Download Submit
C:\debug.txt

Filesize
183B

MD5
5a39e3c3fd006499ea1a8be830a51d4d

SHA1
c0fa6b3e35a7e044ed5450d87724f3c34641ce4e

SHA256
b6ab0c1e0a8915d6e3d2188f60d05edb8f6a7186fec921be676ffa98c0beef5e

SHA512
4c7f1c7e1974f105654765ad93c12ca26d2b926d265cd0e437a9a36afa528076e7629f7bbd9181c80f2d92c863746a51d96d2dcaaf86fd8296b8c5740fdaa01d

Download Submit