f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
Size

550KB
MD5

30bfa3473ae949b3bed3075fcc354ba3
SHA1

d11b0f1c6d70dd43de9a4413be941b8363a6c4fb
SHA256

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983
SHA512

39401222ce9dc245d8263f3d0db2c32f56a9ca73ac56fbebac076e0635fdf70423e80119d34b9bc02b07788efd3977efa68a27e9c19c11031639e27f7bcd5dfd
SSDEEP

12288:JXCNi9BX0gpA6Hody5Xv4C8R7pb0OFMO5FLvUtfR7i:sWkCVH/5Xohpb0Yl5+tfRW

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

description	ioc	process
File opened (read-only)	\??\A:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\O:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\X:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\Y:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\Z:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\E:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\G:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\K:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\T:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\W:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\P:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\B:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\H:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\I:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\J:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\L:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\U:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\V:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\M:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\N:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\Q:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\R:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File opened (read-only)	\??\S:	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

Drops file in System32 directory 10 IoCs

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\trambling licking cock .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\FxsTmp\brasilian nude xxx catfight .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\IME\shared\japanese action fucking hidden .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\FxsTmp\swedish animal bukkake catfight shower .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\IME\shared\danish porn lesbian full movie .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\american nude bukkake masturbation .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\System32\DriverStore\Temp\american horse fucking sleeping leather .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\sperm several models titts sm .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\config\systemprofile\american cumshot blowjob catfight ash .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\tyrkish cum lingerie uncut leather .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

Drops file in Program Files directory 15 IoCs

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

description	ioc	process
File created	C:\Program Files\Windows Journal\Templates\danish gang bang sperm voyeur feet lady .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\beast public (Melissa).zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files\Common Files\Microsoft Shared\sperm lesbian cock high heels .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Google\Temp\sperm girls granny .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\bukkake lesbian sweet .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\swedish action gay catfight feet wifey .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Google\Update\Download\indian horse beast full movie bedroom .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\fucking [free] titts lady (Sarah).mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\brasilian fetish horse [bangbus] ejaculation .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\american porn horse several models hole circumcision .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\xxx voyeur .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files\DVD Maker\Shared\russian horse fucking licking .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\trambling full movie feet .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\japanese animal trambling full movie 40+ .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\american action lingerie masturbation redhair .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

Drops file in Windows directory 64 IoCs

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\horse lingerie big hole 50+ .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\american handjob xxx [bangbus] sm .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\lesbian public YEâPSè& .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\malaysia lesbian [free] (Sylvia).avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\cumshot blowjob lesbian .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\cumshot hardcore [free] cock sweet .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\american fetish lingerie hidden shoes .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\Downloaded Program Files\swedish nude blowjob big redhair .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\british xxx masturbation feet blondie .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\japanese horse horse voyeur (Liz).zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\african xxx lesbian granny .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\french lingerie uncut mistress .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\danish porn xxx lesbian hole .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\assembly\temp\brasilian kicking sperm public (Karin).mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\SoftwareDistribution\Download\american kicking blowjob several models feet hotel .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\horse sperm [bangbus] titts .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\tyrkish porn blowjob hidden .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\danish fetish fucking several models titts bondage (Samantha).rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\hardcore lesbian titts shower .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\black gang bang bukkake sleeping cock .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\canadian bukkake [bangbus] feet .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\asian horse sleeping boots .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\french gay hot (!) (Sarah).mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\american beastiality gay sleeping titts hairy (Tatjana).zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\malaysia sperm lesbian titts upskirt (Samantha).avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\african hardcore girls feet traffic .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\bukkake uncut mature (Gina,Jade).mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\spanish blowjob uncut 50+ .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\indian action trambling hot (!) high heels .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\cumshot lesbian voyeur glans .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\tyrkish action fucking voyeur redhair .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\swedish porn lesbian big .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\african fucking hidden cock latex .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\german trambling hot (!) balls .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\sperm full movie bedroom .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\norwegian blowjob hot (!) YEâPSè& (Jenna,Janette).mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\american fetish xxx catfight castration .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\chinese trambling [milf] cock .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\norwegian fucking [bangbus] 50+ .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\gang bang hardcore hot (!) shoes .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\gay hot (!) .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\InstallTemp\japanese nude lesbian lesbian penetration .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\swedish action bukkake [bangbus] hole (Kathrin,Jade).mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\swedish horse horse [milf] pregnant .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\french bukkake catfight black hairunshaved .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\porn sperm licking latex .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\lesbian sleeping cock pregnant .avi.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\blowjob girls .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\animal blowjob catfight swallow .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\black cumshot beast full movie .mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\bukkake uncut .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\american beastiality lingerie uncut glans bedroom (Curtney).zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\african sperm sleeping .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\nude sperm [bangbus] (Melissa).rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\malaysia trambling sleeping glans bondage (Jade).mpg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\swedish nude trambling catfight feet femdom .rar.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\swedish beastiality xxx public titts .mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\malaysia blowjob several models .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\chinese horse catfight hole .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\danish horse fucking [bangbus] cock .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\german gay voyeur (Jade).mpeg.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\mssrv.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\xxx girls leather .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\horse lingerie uncut titts black hairunshaved .zip.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1348 2240 WerFault.exe f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

pid	pid_target	process	target process
1348	2240	WerFault.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exef054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exef054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

pid	process
2240	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2240	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2240	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2240	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2240	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2240	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
2928	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exef054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe

description	pid	process	target process
PID 2240 wrote to memory of 2720	2240	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 2240 wrote to memory of 2720	2240	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 2240 wrote to memory of 2720	2240	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 2240 wrote to memory of 2720	2240	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 2720 wrote to memory of 2928	2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 2720 wrote to memory of 2928	2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 2720 wrote to memory of 2928	2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 2720 wrote to memory of 2928	2720	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
PID 2240 wrote to memory of 1348	2240	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	WerFault.exe
PID 2240 wrote to memory of 1348	2240	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	WerFault.exe
PID 2240 wrote to memory of 1348	2240	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	WerFault.exe
PID 2240 wrote to memory of 1348	2240	f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
"C:\Users\Admin\AppData\Local\Temp\f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240

C:\Users\Admin\AppData\Local\Temp\f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
"C:\Users\Admin\AppData\Local\Temp\f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720

C:\Users\Admin\AppData\Local\Temp\f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe
"C:\Users\Admin\AppData\Local\Temp\f054a3e989d79b67a89356cb8a3ce275765aa57bf7a18bdabcf6726e06ad0983.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2240 -s 604
2⤵
- Program crash
PID:1348

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\trambling full movie feet .mpg.exe
Filesize
1.4MB

MD5
d4251d80660bb297fb86901ddb551a82

SHA1
792d97523d6192e06e789b0ebd5db98dd75cfeca

SHA256
88171fff9a2b5743aca77e720a4ff4634e601b2c80c224ea93454d8ddcfc7dc8

SHA512
fe05e775b61c8ce8ae72cd23b15207253e48323912defa315f1b439183d07fc6a62dc05e1d1ede54b96d0315e2d7acb414d58ec6cb1b718e18df3449fe872263

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads