2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b

General

Target

2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
Size

439KB
MD5

4f4ee98d82606f059e76671191798230
SHA1

2e0e8babb74832b34fdc300cd4c3b2464c2fdcd4
SHA256

2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b
SHA512

01c5763562e3bb8bd67caa348a446723cfb713b1518e547a6e3f4bdf8963af584e11d5ce6c9517924e719432eeed56660e33c6eb8ebce0f1e72eb6400b2300a8

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe

description	ioc	process
File opened (read-only)	\??\Q:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\T:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\X:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\Z:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\J:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\K:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\G:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\L:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\M:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\P:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\R:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\S:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\B:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\F:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\U:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\I:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\Y:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\A:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\E:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\O:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\V:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\W:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\H:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File opened (read-only)	\??\N:	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe

Drops file in System32 directory 10 IoCs

Processes:

2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe

description	ioc	process
File created	C:\Windows\SysWOW64\IME\SHARED\gay catfight .mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\SysWOW64\config\systemprofile\trambling several models cock YEâPSè& .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\SysWOW64\FxsTmp\malaysia trambling public feet leather .zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\swedish kicking bukkake [bangbus] hole .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\SysWOW64\IME\SHARED\tyrkish kicking beast [milf] cock .avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\SysWOW64\config\systemprofile\brasilian fetish beast hot (!) cock redhair (Melissa).zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\System32\DriverStore\Temp\tyrkish nude lesbian hidden .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\SysWOW64\FxsTmp\animal lingerie masturbation blondie .rar.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\italian horse blowjob licking cock shower .rar.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\fucking masturbation cock ejaculation .zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe

Drops file in Program Files directory 18 IoCs

Processes:

2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\black porn gay [bangbus] wifey .rar.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\brasilian nude sperm public .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\nude fucking girls castration .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\tyrkish animal sperm masturbation titts girly .mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files\Common Files\microsoft shared\japanese gang bang sperm hot (!) high heels .zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files\Microsoft Office\root\Templates\xxx uncut fishy .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\danish horse lesbian [bangbus] mature .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\american beastiality bukkake [bangbus] titts .rar.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM18A1.tmp\american porn horse public beautyfull (Kathrin,Tatjana).zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\indian handjob trambling voyeur titts lady (Curtney).mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\indian porn bukkake hidden hole young .zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\russian fetish xxx lesbian .avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\american nude bukkake big cock boots (Karin).mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\bukkake hot (!) (Sarah).mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeDownload\gay sleeping sm .avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files (x86)\Google\Update\Download\japanese horse trambling several models hole leather (Karin).mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\horse hot (!) hole swallow (Sylvia).zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Program Files (x86)\Google\Temp\brasilian fetish horse hot (!) hole .avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe

Drops file in Windows directory 64 IoCs

Processes:

2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe

description	ioc	process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\russian cumshot blowjob voyeur hole black hairunshaved .avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\tyrkish gang bang horse catfight titts (Kathrin,Samantha).mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.15063.0_none_e72dde21b301025d\german bukkake hot (!) girly .zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15552.17062_none_e2d06dc86a1f7fd5\norwegian lingerie several models hairy .zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.15063.0_en-us_beb2894aa158013a\beastiality lesbian several models titts 40+ .mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeDownload\italian cum beast sleeping .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.15063.0_none_0437af998b0e208e\lingerie lesbian hole sweet (Karin).mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.15063.0_none_15e137df821b01cf\norwegian horse full movie blondie .avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.15063.0_none_d8c07703ded57c9e\porn blowjob girls (Karin).avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.15063.0_none_d2f2b61f3d92d78e\chinese horse sleeping young .zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\SystemApps\holoitemplayerapp_cw5n1h2txyewy\indian action horse uncut titts .rar.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.15063.0_none_39384d9f3be72de5\action lingerie sleeping cock .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.15063.0_none_b8778c605f34f419\french sperm voyeur feet castration .zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.15063.0_none_8a81cc881a4e1ce3\chinese fucking catfight cock .mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.15063.0_en-us_ff553ed65b0f6294\swedish porn xxx hidden (Liz).avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.15063.0_none_823eedf24d7c94ef\cum lesbian hot (!) bedroom .mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.15063.0_none_43bc3732ce83692c\norwegian blowjob voyeur .avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\mssrv.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\brasilian horse gay full movie high heels .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..mon-shareexperience_31bf3856ad364e35_10.0.15063.0_none_6dabf19b653361d3\spanish trambling [milf] shoes .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.15063.0_none_648e8091a6ce968d\lingerie full movie glans young (Melissa).rar.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\InstallTemp\japanese nude lesbian catfight hole (Anniston,Jade).avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.15063.0_none_f5c7528d2984503b\sperm public glans mature .rar.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.15063.0_none_f2b78da31df4be36\french bukkake sleeping (Tatjana).mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.15063.0_en-us_63f9db269c27aea6\japanese horse lingerie sleeping (Karin).avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.15063.0_none_02462ed3678942cd\cumshot xxx licking glans .zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\brasilian fetish gay lesbian black hairunshaved .zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.15063.0_none_1895ea111f4e532b\action beast hot (!) (Sarah).zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.15063.0_none_8018eea795cb7229\swedish handjob beast uncut äï .mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.15063.0_none_08bf7f9e8bc2f9be\brasilian gang bang fucking girls granny .avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.15063.0_en-us_e8f8d0efa3ca43d8\swedish cum hardcore masturbation hole .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.15063.0_none_540c446686b9d9a8\lingerie big cock .avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\assembly\temp\horse big titts pregnant (Tatjana).avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.15063.0_none_2035e231b67bc3ca\fetish bukkake full movie hairy .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.15063.0_none_5c58f0dca6d782e3\trambling big feet YEâPSè& (Melissa).rar.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.15063.0_none_8b0f429dfaa39127\canadian xxx masturbation bondage (Christine,Janette).rar.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\horse full movie stockings .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..templayer.appxsetup_31bf3856ad364e35_10.0.15063.0_none_9921e5477e81b31d\german bukkake [free] .mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.15063.0_none_4ba01b63d7ffbb2c\sperm [bangbus] feet .mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.15063.0_none_90c250ae7f2093cf\lingerie [free] hole fishy (Janette).avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.15063.0_none_117413be9149ae07\beastiality horse [bangbus] hole ash .avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.15063.0_none_fd61363b291ec882\french trambling lesbian (Sarah).avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\porn hardcore licking .avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\security\templates\trambling masturbation feet .mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\black nude beast [milf] hole .rar.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.15063.0_none_02cfe449f29e2cff\blowjob full movie hole gorgeoushorny .zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.15063.0_none_49b79a14525917ad\british trambling full movie gorgeoushorny .zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.15063.0_none_55f4c5b60c607d27\african gay sleeping (Curtney).avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.15063.0_none_6d12728db1fbfb10\gang bang lingerie uncut feet sm .rar.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\gay girls .mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\SoftwareDistribution\Download\sperm sleeping (Melissa).zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.15063.0_en-us_8c2ec72b9de99c9a\japanese beastiality trambling catfight circumcision (Anniston,Jade).mpeg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..itemplayer.appxmain_31bf3856ad364e35_10.0.15063.0_none_321f672489c5b007\tyrkish action fucking voyeur .mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.15063.0_none_4ed62926d6522f6c\german sperm hot (!) glans hotel .rar.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.15063.0_none_d43339c2665f8518\african horse [bangbus] shoes (Gina,Sarah).mpg.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.15063.0_none_4b7c9b14d61ca88c\beast hot (!) hole young (Sarah).avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.15063.0_none_3c065a035d44d0c7\norwegian beast [bangbus] cock beautyfull .avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\CbsTemp\gay big balls .rar.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.15063.0_none_5c46d30baced6446\spanish beast full movie .zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.15063.0_none_431935c9af4713a2\gang bang beast lesbian feet .rar.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\russian porn gay hidden leather .avi.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\gay [free] titts circumcision .zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.15063.0_none_552cc3fc9d3c35b2\beast big glans (Ashley,Melissa).zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.15063.0_none_21fd4bfdeda110b4\danish handjob fucking licking (Liz).zip.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe

pid	process
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
1676	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
644	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe

description	pid	process	target process
PID 808 wrote to memory of 3244	808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
PID 808 wrote to memory of 3244	808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
PID 808 wrote to memory of 3244	808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
PID 3244 wrote to memory of 644	3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
PID 3244 wrote to memory of 644	3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
PID 3244 wrote to memory of 644	3244	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
PID 808 wrote to memory of 1676	808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
PID 808 wrote to memory of 1676	808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
PID 808 wrote to memory of 1676	808	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe	2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe

C:\Users\Admin\AppData\Local\Temp\2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
"C:\Users\Admin\AppData\Local\Temp\2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
"C:\Users\Admin\AppData\Local\Temp\2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3244

C:\Users\Admin\AppData\Local\Temp\2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
"C:\Users\Admin\AppData\Local\Temp\2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:644

C:\Users\Admin\AppData\Local\Temp\2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe
"C:\Users\Admin\AppData\Local\Temp\2fea963c700e257544e1b261e8142812aafc62bff46dc749ec2f663f06cfdb9b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1676