f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
Size

1.9MB
MD5

ac02bdf47c1bf332ec1c128eb5bf1daa
SHA1

d98389f89d70e0a52af0c694cbcc0521cf62f4ef
SHA256

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9
SHA512

cdf678061bfb17f344d9ad914f9278e3bbaf04a3bf80c8fc9f53225bf8e005729850096fa8f9fd425b3d2d40fe46543843e883b2039691cb6ee1fde9323198e3
SSDEEP

49152:CsonjgfeMymYptKbmjzktSI5JUT42+JQPvj1/cEZF3:g5MymYGfG4vkvjJ3

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

Processes:

resource yara_rule

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\danish lesbian [milf] (Sarah,Sandy).rar.exe INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

resource	yara_rule
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\danish lesbian [milf] (Sarah,Sandy).rar.exe	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

description	ioc	process
File opened (read-only)	\??\B:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\H:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\N:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\Q:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\S:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\T:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\A:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\G:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\I:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\K:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\P:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\V:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\W:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\E:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\J:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\M:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\U:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\Z:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\L:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\O:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\R:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\X:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\Y:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Drops file in System32 directory 10 IoCs

Processes:

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

description	ioc	process
File created	C:\Windows\SysWOW64\FxsTmp\cum licking (Sandy).zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\brasilian hardcore hidden (Gina).mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\System32\DriverStore\Temp\danish nude [free] (Janette,Gina).rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\IME\shared\malaysia gang bang hot (!) high heels (Ashley,Melissa).zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\config\systemprofile\sperm horse several models glans girly .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian cum lesbian cock .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\IME\shared\american nude gang bang several models ash YEâPSè& .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse voyeur blondie .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\FxsTmp\russian fetish [milf] .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\horse voyeur nipples penetration .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Drops file in Program Files directory 15 IoCs

Processes:

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\italian action porn sleeping YEâPSè& .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files\Windows Journal\Templates\gay xxx full movie hole (Jenna).avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\asian cum voyeur pregnant (Sylvia,Sonja).rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\american beast lingerie hot (!) boobs (Liz).mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\indian lesbian xxx public 50+ (Christine,Kathrin).avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\gang bang gay hidden femdom .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\norwegian horse big gorgeoushorny (Curtney,Ashley).mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\swedish horse hardcore [bangbus] stockings .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\asian gang bang girls sweet (Sonja,Christine).mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files\DVD Maker\Shared\black horse porn hidden ash upskirt (Anniston,Sylvia).avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\horse big feet redhair .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Google\Temp\african lesbian bukkake public .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Google\Update\Download\handjob gay full movie girly (Curtney,Karin).avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\danish lesbian [milf] (Sarah,Sandy).rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\lingerie beast catfight .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Drops file in Windows directory 64 IoCs

Processes:

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

description	ioc	process
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\russian sperm catfight (Samantha,Sarah).zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\indian bukkake [free] black hairunshaved .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\black beastiality action masturbation titts boots .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\american action several models .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\italian horse [milf] redhair (Liz,Britney).mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SoftwareDistribution\Download\british cum gang bang [free] .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\brasilian lingerie sleeping .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\tyrkish beast girls castration .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\african horse sleeping feet (Tatjana,Sarah).avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\malaysia animal [milf] .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\russian lesbian lesbian glans redhair .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\fucking beast [bangbus] .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\danish cumshot hot (!) 50+ (Sandy).mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\canadian gay lesbian uncut .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\cum [bangbus] sweet (Sarah).rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\assembly\tmp\handjob girls .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\french beast lesbian 40+ .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\lesbian beast several models .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\russian action uncut ash ejaculation (Karin).zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\french cum cum voyeur (Jenna,Jenna).mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\PLA\Templates\kicking kicking hot (!) penetration .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\german action hot (!) boots .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\Downloaded Program Files\russian beast masturbation boobs bedroom .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\norwegian hardcore catfight balls .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\italian gay girls hairy .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\fetish hot (!) titts ejaculation .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\trambling gay uncut femdom .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\cumshot handjob big bedroom .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\porn cumshot lesbian legs (Curtney).avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\action xxx licking vagina .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\black fetish fetish masturbation circumcision .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\chinese horse animal catfight nipples .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\brasilian handjob big boobs upskirt .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\blowjob gang bang girls feet .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\spanish beast lesbian pregnant .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\russian cumshot nude several models (Jade).mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\japanese sperm hot (!) beautyfull .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\malaysia trambling lesbian titts ¤ã .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\spanish action hot (!) 40+ (Jade).mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\french cumshot [free] titts balls (Janette).zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\british cum sleeping granny .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian gang bang blowjob uncut .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\animal big .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\russian horse horse hot (!) granny (Karin,Sonja).mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\mssrv.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\asian handjob several models .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\assembly\temp\swedish blowjob action hidden nipples traffic (Christine).zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\norwegian lingerie fetish uncut femdom .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\american cum public sm .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\hardcore beastiality big glans .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\InstallTemp\italian xxx gay full movie vagina black hairunshaved .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\fucking hot (!) cock high heels .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\security\templates\cum kicking lesbian .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\canadian hardcore handjob hidden .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\asian lesbian lesbian swallow .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\italian trambling sperm uncut cock mistress .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\german kicking bukkake [free] .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\indian animal uncut lady (Anniston).mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\norwegian gang bang [bangbus] boobs .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\malaysia fucking voyeur fishy .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\chinese horse sperm public vagina bondage (Sylvia).mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\british fetish xxx [bangbus] vagina fishy (Sarah).avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\horse blowjob hot (!) .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\cumshot xxx sleeping mature .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1032 2156 WerFault.exe f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

pid	pid_target	process	target process
1032	2156	WerFault.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exef461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exef461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

pid	process
2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3000	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exef461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

description	pid	process	target process
PID 2156 wrote to memory of 2684	2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 2156 wrote to memory of 2684	2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 2156 wrote to memory of 2684	2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 2156 wrote to memory of 2684	2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 2684 wrote to memory of 3000	2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 2684 wrote to memory of 3000	2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 2684 wrote to memory of 3000	2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 2684 wrote to memory of 3000	2684	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 2156 wrote to memory of 1032	2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	WerFault.exe
PID 2156 wrote to memory of 1032	2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	WerFault.exe
PID 2156 wrote to memory of 1032	2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	WerFault.exe
PID 2156 wrote to memory of 1032	2156	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
"C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
"C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
"C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2156 -s 384
2⤵
- Program crash
PID:1032

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\danish lesbian [milf] (Sarah,Sandy).rar.exe
Filesize
1.8MB

MD5
c9a61f62eed0344bc7f2fb6884263c85

SHA1
7909c8eaaa8a16b55274e8fb7fe64faaf8dc68c8

SHA256
4a4bfc90f17c73ec2de213213178114123f5c782dbdd358d222c44a80967b85a

SHA512
c9d6f19dff8cc835c886c2099abbe32caea3a7f1508bdbbf1b492341d66c88a6a4ba0765f830a78ed346916fbca974e6eb160e1ca8dc071e26a60ed6f5fb2e80

Download Submit
C:\debug.txt
Filesize
183B

MD5
2cd2ba557f6b98eb8969af21e2dba787

SHA1
af58b602d6f941bbb120d781637eafab8f19f110

SHA256
aec61aaccda01ea9a43cae1de7558cd9fe25624597002a46483315ee86e58d51

SHA512
19c4ceb0ccc418953fe75e27baa8489f77eb1a569aa3a530e8fcb2668b2c94004b9dca891d959786b6cbab413e94add15ed29b939468782aad76d8f8d0800157

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads