f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
Size

982KB
MD5

2197a8e9885ba9c9d8efb4b13d3d8b45
SHA1

30c09b9d87b0487c866f09c7ae9e2a3049993494
SHA256

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da
SHA512

46c94344c9827f30c4f6374e1d03a966d36afd00a4b92f3c493c54eb2c6fbbe6bab3c3740c61d5e52f290c36c0e71e856742c7e4742e9a050e46d2d04f453853
SSDEEP

24576:2wPG4ZzqQyDuQtljBs0PkqwZq9dhoZfIsKuSHpWCtF:h3ZatliGw2dKfIsKuKWiF

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

Processes:

resource yara_rule

C:\Program Files\Windows Sidebar\Shared Gadgets\indian gang bang fucking sleeping titts gorgeoushorny .rar.exe INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

resource	yara_rule
C:\Program Files\Windows Sidebar\Shared Gadgets\indian gang bang fucking sleeping titts gorgeoushorny .rar.exe	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

description	ioc	process
File opened (read-only)	\??\S:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\U:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\A:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\M:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\O:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\Q:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\R:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\T:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\J:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\K:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\L:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\W:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\Y:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\Z:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\E:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\G:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\V:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\N:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\P:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\X:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\B:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\H:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File opened (read-only)	\??\I:	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

Drops file in System32 directory 10 IoCs

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\american gang bang blowjob lesbian hole .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\IME\shared\swedish gang bang xxx full movie hole .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\indian cum sperm several models titts (Christine,Liz).avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\IME\shared\swedish handjob trambling big balls .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\black handjob xxx big YEâPSè& .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\FxsTmp\american kicking bukkake sleeping .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian nude trambling hot (!) feet shoes .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\System32\DriverStore\Temp\trambling voyeur hole boots .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\FxsTmp\handjob lingerie [free] feet .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SysWOW64\config\systemprofile\xxx big glans latex .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

Drops file in Program Files directory 15 IoCs

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\microsoft shared\fucking several models femdom .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Google\Temp\brasilian gang bang fucking full movie glans ìï .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files\Common Files\Microsoft Shared\tyrkish handjob hardcore public glans gorgeoushorny .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\brasilian horse gay hot (!) latex .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\indian cumshot sperm licking gorgeoushorny .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\american fetish blowjob [free] (Karin).avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\american animal xxx catfight (Sylvia).zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\american fetish beast hot (!) cock pregnant .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\danish animal lingerie uncut titts upskirt (Tatjana).zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\horse masturbation fishy (Christine,Sylvia).zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files\DVD Maker\Shared\black nude blowjob catfight titts femdom .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\indian gang bang fucking sleeping titts gorgeoushorny .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\horse catfight cock swallow .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files (x86)\Google\Update\Download\malaysia hardcore licking swallow .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Program Files\Windows Journal\Templates\russian gang bang xxx full movie swallow .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

Drops file in Windows directory 64 IoCs

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\british xxx lesbian hole .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\asian beast sleeping cock young (Janette).avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\chinese trambling licking redhair .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\french sperm [milf] .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\PLA\Templates\bukkake licking titts leather (Samantha).rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\japanese handjob sperm [bangbus] gorgeoushorny .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\indian handjob horse masturbation hole traffic .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\hardcore catfight boots .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\chinese xxx [free] mistress .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\brasilian cumshot hardcore several models boots .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\tyrkish animal lingerie hidden titts femdom .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\beast licking ash .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\xxx [bangbus] glans traffic .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\hardcore [milf] penetration (Gina,Jade).mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\lesbian full movie glans .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\gay girls hole shoes .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\gay lesbian .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\lesbian full movie hole .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\asian gay hot (!) glans ash (Janette).mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\gay big hairy .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\Temp\xxx uncut .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\gang bang lesbian hot (!) YEâPSè& .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\black beastiality bukkake [free] cock .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\british xxx public cock .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\african beast masturbation .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\tyrkish porn xxx licking cock mature .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\horse catfight redhair .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian beastiality bukkake [milf] granny (Kathrin,Samantha).mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\swedish horse lesbian hidden .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\blowjob voyeur (Melissa).mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\cum bukkake lesbian (Karin).avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\animal beast big bondage .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\gay hot (!) (Curtney).zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\sperm girls (Janette).zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\british beast masturbation hairy (Ashley,Curtney).zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\lesbian girls mature .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\tyrkish fetish blowjob sleeping upskirt .mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\InstallTemp\tyrkish horse xxx [free] feet sm .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\french horse voyeur titts swallow .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\SoftwareDistribution\Download\japanese cum trambling [bangbus] (Tatjana).mpg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\spanish sperm hot (!) mistress (Sonja,Melissa).avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\spanish lesbian several models feet .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\canadian trambling voyeur hole (Sandy,Curtney).avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\danish action gay voyeur traffic .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\porn beast big hotel .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\cumshot blowjob [milf] (Tatjana).rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\spanish gay sleeping (Tatjana).zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\italian beastiality lesbian uncut young .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\canadian beast [milf] hole gorgeoushorny .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\american beastiality lesbian public .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\Downloaded Program Files\black nude gay [milf] lady .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\norwegian sperm [free] girly (Jenna,Jade).rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\brasilian porn hardcore lesbian (Sylvia).mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\danish kicking xxx licking lady .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\american animal sperm catfight traffic .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\sperm licking .rar.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\italian animal xxx lesbian glans latex .zip.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\xxx uncut glans traffic (Melissa).mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\german gay full movie .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\fucking sleeping glans hotel .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\cumshot lesbian full movie swallow .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\nude xxx uncut (Melissa).avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\beastiality beast [milf] .mpeg.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\french horse hot (!) bedroom .avi.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exef612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exef612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

pid	process
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
2540	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exef612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

description	pid	process	target process
PID 1936 wrote to memory of 2696	1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 1936 wrote to memory of 2696	1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 1936 wrote to memory of 2696	1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 1936 wrote to memory of 2696	1936	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 2696 wrote to memory of 2540	2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 2696 wrote to memory of 2540	2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 2696 wrote to memory of 2540	2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
PID 2696 wrote to memory of 2540	2696	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe	f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe

C:\Users\Admin\AppData\Local\Temp\f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
"C:\Users\Admin\AppData\Local\Temp\f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
"C:\Users\Admin\AppData\Local\Temp\f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696

C:\Users\Admin\AppData\Local\Temp\f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe
"C:\Users\Admin\AppData\Local\Temp\f612114e80d6d0a0ea0710d312d6db0ff328e5417c8020165fc0f7274ba439da.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2540

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\indian gang bang fucking sleeping titts gorgeoushorny .rar.exe
Filesize
1.7MB

MD5
ec859011481b3344daabc38fbd11cf00

SHA1
fbd72e2bbfbf2fbdf9c4453bfdb3f7f9acb40af5

SHA256
a329e09e40cc7c355a3d0d95c15a9f7073a536d8df31ce4a70fe63564c8afe3e

SHA512
44e33d08c299ed019bc6240cc68db7903c3efb7feb6c018d957276e7b23ff32f162c08e436e7e43e33ab32bc4c6eff18c5ba13681aa8fe7fb540e139b7b6ff41

Download Submit
C:\debug.txt
Filesize
183B

MD5
94a3d944144cc15d5e11225e81223238

SHA1
2a4ec907834cb92ebf8732417fb9a7cba7400f97

SHA256
561f16d9c8c7efa751a77cca2b62630eccdb6f8279865305b9a9b841ea336e33

SHA512
abbaee5b60db1b7ee4f8e42cbaebaa52f972b922ef5139f3fe205c2b7461fc7383ae33ed845cd9f5ab14a07a118c345f1c81154796c74b6f00d3fe81728174d1

Download Submit