2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
Size

1.0MB
MD5

e553cc6505679275fbcca0e4f1a73e91
SHA1

862999b23d86bf602a0692f2407cdc97e7e97381
SHA256

2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a
SHA512

f3afe7e78b796d23e0123c941013a78ff3ba34b5149ccb587e9725434cafe84cc275afaba1ccaa0beabdb56304ff63b3f6a39399b15fc9b27fcf8d8819abe0cd
SSDEEP

24576:86SEl5bHLmBnPaAWaRzN1VfD74drcLtFfYC:5BnLuaaRZ1lP4drS

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\P:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\V:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\H:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\I:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\J:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\U:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\X:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\Y:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\E:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\K:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\R:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\S:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\T:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\O:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\Q:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\W:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\A:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\B:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\G:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\L:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\N:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File opened (read-only)	\??\Z:	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian action full movie titts bondage .zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\System32\DriverStore\Temp\russian beast full movie bondage .mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\SysWOW64\FxsTmp\french beast [milf] (Karin).mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\fucking catfight .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\SysWOW64\IME\shared\american horse handjob hot (!) latex .zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\SysWOW64\config\systemprofile\japanese action action hidden .mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\SysWOW64\IME\shared\cumshot full movie young .zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\brasilian animal masturbation nipples balls .mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\SysWOW64\config\systemprofile\chinese animal cumshot public ash sweet (Christine).avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\SysWOW64\FxsTmp\norwegian fucking [bangbus] black hairunshaved .rar.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\animal nude big girly .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Program Files (x86)\Google\Update\Download\french bukkake public mistress .avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\beast big (Britney,Sonja).mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\cum trambling [milf] .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\sperm animal hot (!) legs (Samantha).mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\italian gang bang gang bang big legs shower (Sonja,Sonja).rar.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\japanese gay fetish public .zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\chinese action lesbian public girly .mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Program Files\Windows Journal\Templates\hardcore gang bang [free] .rar.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\beastiality sperm public femdom .zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\sperm hidden mistress (Sonja).zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Program Files (x86)\Google\Temp\beast nude licking wifey .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\american lingerie bukkake sleeping cock .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Program Files\DVD Maker\Shared\gang bang beast masturbation 50+ .rar.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\asian cumshot girls titts .mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\spanish cum sleeping titts lady (Karin).mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\chinese sperm cum catfight vagina gorgeoushorny .rar.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\lesbian lesbian cock .avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\black fucking action big .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\norwegian fucking licking legs lady .zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\german cumshot sperm lesbian .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\chinese animal horse sleeping castration (Sarah,Ashley).avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\spanish lingerie horse lesbian legs balls (Anniston).avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\british fetish full movie high heels .rar.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\fetish sperm lesbian .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\chinese cumshot [free] boobs (Jade,Ashley).avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\spanish handjob hidden traffic .zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\security\templates\animal sperm voyeur (Gina,Janette).avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\cumshot horse voyeur ash .avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\lesbian beast sleeping 50+ .avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\italian fucking trambling licking ash .mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\indian kicking full movie .rar.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\gang bang kicking licking vagina stockings .rar.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\animal big boobs shower .rar.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\norwegian nude lingerie [free] glans circumcision .mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\fetish [milf] legs .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\canadian blowjob cum lesbian .mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\italian horse voyeur nipples bondage .avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\bukkake handjob uncut cock 40+ (Samantha).mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\canadian lingerie hidden .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\chinese blowjob big .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\cumshot fetish licking traffic .avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\tyrkish nude hidden boobs latex .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\cum bukkake hidden (Samantha,Curtney).mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\swedish action blowjob licking feet lady (Melissa,Sonja).mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\handjob public mature .rar.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\african lesbian gay full movie 40+ .rar.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\asian animal gay masturbation cock high heels .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\hardcore [bangbus] shower .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\hardcore lesbian fishy (Sylvia,Sarah).avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\british fucking several models (Samantha,Ashley).avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\italian xxx handjob [milf] 40+ .zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\norwegian sperm masturbation granny (Karin,Sonja).avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\blowjob cumshot public mature .mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\japanese action licking hole .zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\african horse kicking sleeping cock wifey .avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\french xxx cum licking nipples wifey .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish bukkake horse girls beautyfull (Gina).rar.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\horse hardcore [bangbus] black hairunshaved .mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\black cum girls titts beautyfull .avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\norwegian porn animal sleeping girly .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\handjob big vagina .mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\InstallTemp\japanese lesbian nude [free] high heels .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\hardcore beast sleeping granny .mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\fetish masturbation legs shoes .zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\SoftwareDistribution\Download\lingerie public wifey .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\indian cumshot gay hidden blondie .mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\fetish [milf] .avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\danish horse licking girly (Jenna).zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\horse kicking uncut .avi.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\malaysia animal sleeping .zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\nude lingerie sleeping latex .mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\norwegian trambling [milf] hole sweet .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\german cum lesbian (Christine).zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\hardcore voyeur black hairunshaved .zip.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\african gang bang big balls .rar.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\asian hardcore cumshot licking hole redhair .rar.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\american lesbian beast [milf] shoes (Sarah).mpg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\african handjob trambling voyeur vagina .mpeg.exe	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
3060	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 1052	2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe	31
PID 2628 wrote to memory of 1052	2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe	31
PID 2628 wrote to memory of 1052	2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe	31
PID 2628 wrote to memory of 1052	2628	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe	31
PID 1052 wrote to memory of 3060	1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe	32
PID 1052 wrote to memory of 3060	1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe	32
PID 1052 wrote to memory of 3060	1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe	32
PID 1052 wrote to memory of 3060	1052	2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe	32

C:\Users\Admin\AppData\Local\Temp\2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
"C:\Users\Admin\AppData\Local\Temp\2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Users\Admin\AppData\Local\Temp\2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
  "C:\Users\Admin\AppData\Local\Temp\2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe
    "C:\Users\Admin\AppData\Local\Temp\2ee2265368abec9986adbcd64a59b1abe9c40683803f617b0ed6a2852cf0dc9a.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\asian cumshot girls titts .mpg.exe

Filesize
839KB

MD5
ce5aab73e95bdd29e71e920c87462a1d

SHA1
b1a97154df6623b06d9ff8c3601c7c1e61776a36

SHA256
ec2b5f1b1ff8e15e32692788c51c905ba40e6c01f2859b4bd2deec1654f90ea8

SHA512
9e9f1d4c3d21f1f85f76b5591ca3248394d9d85b206fd57f4ae239ab66b6e58fcae2b03add885dd36737544def78cdfcd50deed6dc4d0c62e9235bc44e644f36

Download Submit
C:\debug.txt

Filesize
183B

MD5
4ad871ea97315750478446cee0e0c92f

SHA1
49ba12ff5f847bba6660f1760d96a8645c096644

SHA256
9b76809b8fa976db237e2d65a4cf29ec6861e77e35ecdc41ecb7fab68c88aab0

SHA512
50f23f615caab2f4fcf744a696a16ae67db08517004e9384cef07170c33350f8c7cc11c187473c2711ac00e9e739288e234523d3075da268000412eded5074b8

Download Submit