da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
Size

1.8MB
MD5

e77d4b0c2c4675c1e8e7589fb195f1a8
SHA1

bf689b569d4cd427e76462deced12465a08724e5
SHA256

da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7
SHA512

e86b043f50cfe3ffa4bc535fd90a27a75ee08463d35ea6bbe791335842c8298f6e6aa5d68b7fcc6ba8430438be219bc8078b3bfc198619a26b1dc8e85eafa5bd
SSDEEP

49152:VVvHcjm2XthXr+JpSEBfz8leToZ7Ji+90GcC3lu77IB:TvHSbtR88e8PyGcC3A7UB

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

Processes:

resource yara_rule

C:\Program Files\Windows Sidebar\Shared Gadgets\black trambling porn girls mistress .mpg.exe INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

resource	yara_rule
C:\Program Files\Windows Sidebar\Shared Gadgets\black trambling porn girls mistress .mpg.exe	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe

description	ioc	process
File opened (read-only)	\??\Q:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\V:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\W:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\A:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\E:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\N:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\P:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\S:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\T:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\U:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\B:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\I:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\J:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\Y:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\G:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\K:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\L:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\R:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\X:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\Z:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\H:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\M:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File opened (read-only)	\??\O:	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe

Drops file in System32 directory 10 IoCs

Processes:

da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\cum lesbian ash (Sonja,Sandy).avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\System32\DriverStore\Temp\hardcore hardcore [milf] nipples .zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\SysWOW64\FxsTmp\italian lingerie horse sleeping latex (Janette).rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\lingerie horse voyeur .avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\horse several models ash 50+ .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\norwegian gay cum [bangbus] glans Ôë (Jade,Kathrin).zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\spanish trambling beast catfight .mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\SysWOW64\FxsTmp\blowjob fetish licking black hairunshaved (Ashley).mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\SysWOW64\IME\shared\norwegian beastiality gay masturbation vagina .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\SysWOW64\IME\shared\danish horse catfight boobs (Jenna,Karin).mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe

Drops file in Program Files directory 15 IoCs

Processes:

da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\malaysia beast horse [free] gorgeoushorny .rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\tyrkish horse girls pregnant .avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\black fetish big (Samantha).mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\danish horse animal hidden blondie .rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Program Files\Common Files\Microsoft Shared\gang bang lesbian [milf] cock gorgeoushorny .rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Program Files (x86)\Google\Temp\spanish blowjob hot (!) (Tatjana).avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\cum hot (!) titts penetration .mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\tyrkish blowjob hot (!) sm .avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Program Files\Windows Journal\Templates\spanish fucking [free] fishy .mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\xxx [bangbus] traffic .zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\kicking gang bang licking YEâPSè& .avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Program Files\DVD Maker\Shared\spanish handjob nude licking bedroom .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\black trambling porn girls mistress .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Program Files (x86)\Google\Update\Download\animal [free] vagina .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\gang bang lesbian boobs mistress .mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe

Drops file in Windows directory 64 IoCs

Processes:

da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\spanish xxx voyeur glans (Liz).mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\malaysia kicking animal [milf] stockings (Melissa).zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\gay cum hidden ash (Christine).rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\german lingerie catfight traffic .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\russian lesbian cum hot (!) young .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\canadian xxx hot (!) .rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\japanese handjob [milf] .rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\norwegian blowjob gang bang uncut cock .zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\cum horse [bangbus] 40+ .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\PLA\Templates\nude [bangbus] .rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\beastiality hidden hairy (Janette,Sandy).mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\cum cumshot big shoes .avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\american lesbian lesbian full movie redhair .rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\russian fetish gay masturbation (Sarah).zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\russian action action hidden ash (Sylvia).zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\tyrkish trambling voyeur wifey .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\american fucking kicking girls hole (Jenna,Anniston).rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\tyrkish beastiality porn [bangbus] boobs .avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\blowjob hidden feet wifey .rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\Downloaded Program Files\lesbian trambling uncut hotel .zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\british handjob lesbian YEâPSè& (Jenna,Sarah).mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\fucking horse catfight tÛ .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\gay uncut glans beautyfull .mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\security\templates\horse gang bang catfight ash .avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\blowjob cum [milf] cock hotel .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\sperm kicking licking cock wifey .mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\japanese hardcore cum voyeur ash sweet .mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\action horse [milf] hole fishy (Janette).mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\trambling cum uncut ash .avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\cumshot sleeping (Britney,Melissa).zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\gang bang licking (Anniston,Kathrin).avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\beastiality bukkake big .rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\indian fucking public young .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\russian bukkake kicking hot (!) (Ashley).mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\asian animal sperm licking boots .avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\german action lesbian .rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\tyrkish fetish hidden .avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\tyrkish horse public feet upskirt .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\german handjob catfight sm (Sandy,Sonja).mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\beast sperm hot (!) mistress .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\assembly\temp\brasilian cum licking .zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\malaysia horse public boobs circumcision .avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\swedish trambling beast several models beautyfull .mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\trambling [milf] circumcision .mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\asian porn beast several models hotel (Britney,Jenna).zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\nude [bangbus] (Kathrin,Gina).mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\norwegian porn uncut legs lady .zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\italian handjob sperm big legs .zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\swedish horse bukkake catfight castration .avi.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\british cum sleeping .rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\InstallTemp\beast hardcore hot (!) high heels (Sonja).rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\malaysia trambling [milf] (Sandy,Anniston).mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\black lingerie sleeping bedroom .zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\russian action trambling [bangbus] ìï (Melissa).rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\trambling public sweet (Gina,Sonja).rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\canadian blowjob gang bang hidden (Sandy).rar.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\horse blowjob [free] nipples (Sonja).mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\indian nude sleeping vagina leather .zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\chinese nude kicking big girly .mpg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\danish beast kicking voyeur girly (Sandy).zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\british lingerie licking .zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\african kicking big bedroom .zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\cum voyeur .zip.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\gang bang [milf] leather .mpeg.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exeda6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exeda6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe

pid	process
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
2960	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exeda6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe

description	pid	process	target process
PID 1744 wrote to memory of 2628	1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
PID 1744 wrote to memory of 2628	1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
PID 1744 wrote to memory of 2628	1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
PID 1744 wrote to memory of 2628	1744	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
PID 2628 wrote to memory of 2960	2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
PID 2628 wrote to memory of 2960	2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
PID 2628 wrote to memory of 2960	2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
PID 2628 wrote to memory of 2960	2628	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe	da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe

C:\Users\Admin\AppData\Local\Temp\da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
"C:\Users\Admin\AppData\Local\Temp\da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744

C:\Users\Admin\AppData\Local\Temp\da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
"C:\Users\Admin\AppData\Local\Temp\da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe
"C:\Users\Admin\AppData\Local\Temp\da6794322173ed75d83002265cd1677e453d5c01999dee040ac3db21851a51e7.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2960

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\black trambling porn girls mistress .mpg.exe
Filesize
1.6MB

MD5
adcb7dc2fefcb17b2b92b3202725f824

SHA1
142a4fcca9d500a3a6afdc72b980c95e839a0c2a

SHA256
536e51786276838a1cae108b25e3e2ef3bfe5c96ad97d2b0aac2510a6dbecea0

SHA512
44dcaf56f5388cdcc64652235c2ca860e909803ff4f39f5273c647a81cf9c662207a190049bb4e541b6fb48bff30e090051d492d0c6c28f895ceca18f6b75e11

Download Submit
C:\debug.txt
Filesize
183B

MD5
9eec78a34348b7cbc2cc26b435594ea1

SHA1
4341e02799649a56acc8186dea2ff6c2b98f5912

SHA256
8a4a873c961fcbfb63195e75edfd72edd1fe42ae492892dcdc71f1fd69c7d0d7

SHA512
4ab7933286fa4e0d23038c7746543e0c225174cc950a7689d12802a773734fe1ba96bb59162a63e005105229d3df302150beac10d75abc66f6de0f86865f0144

Download Submit