913707eb6677e5e8df88f525b16e7e73ff749d5b1141045689ce6325a84b7ce4

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02ae468baf7d023d36af015c86a477a9.exe
Size

1.3MB
MD5

02ae468baf7d023d36af015c86a477a9
SHA1

cc56ea6efdb099d75e188bba827810402c8c2c39
SHA256

913707eb6677e5e8df88f525b16e7e73ff749d5b1141045689ce6325a84b7ce4
SHA512

096debe938ec3f6ba480e929c60dc5a0b8c0ae93f0742e3b3aefd5a678e0526c1b9c3c3f4198b2200828e9feb589bdcbe7f829fdd01308ce08a749fc712acccc
SSDEEP

24576:sSLIwQIjzu+QjPYEozdBArLVBF4b1cDottKM5tcAb8MgQeDuggr9Iopy:ssLzu+QjIBB+V3dDoT1beMgQeKggru8y

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1284-0-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x0007000000015a2d-5.dat	upx
behavioral1/memory/1284-12-0x00000000047C0000-0x00000000047DC000-memory.dmp	upx
behavioral1/memory/2532-13-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2532-52-0x0000000004900000-0x000000000491C000-memory.dmp	upx
behavioral1/memory/1284-91-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	02ae468baf7d023d36af015c86a477a9.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\M:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\P:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\Y:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\B:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\G:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\R:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\X:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\S:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\U:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\A:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\L:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\J:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\K:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\N:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\O:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\Q:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\T:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\E:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\H:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\Z:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\V:	02ae468baf7d023d36af015c86a477a9.exe
File opened (read-only)	\??\W:	02ae468baf7d023d36af015c86a477a9.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\german sperm full movie hairy .avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\SysWOW64\config\systemprofile\hardcore sleeping feet 50+ .rar.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\american fetish lesbian several models sweet .mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\SysWOW64\config\systemprofile\blowjob girls ejaculation .avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\sperm licking glans shower (Tatjana).avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\beast full movie granny .mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\SysWOW64\FxsTmp\hardcore catfight glans ìï (Janette).zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\SysWOW64\IME\shared\cum xxx [milf] shower (Sandy,Curtney).mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\System32\DriverStore\Temp\american beastiality bukkake [free] titts ash .mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\SysWOW64\IME\shared\sperm [free] cock ejaculation .mpg.exe	02ae468baf7d023d36af015c86a477a9.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\japanese gang bang trambling catfight femdom .mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\american fetish xxx licking .zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Program Files\DVD Maker\Shared\fucking [bangbus] ìï (Britney,Melissa).mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Program Files\Windows Journal\Templates\french sperm voyeur hole .mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Program Files (x86)\Google\Temp\xxx full movie feet ash .mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Program Files (x86)\Google\Update\Download\brasilian nude gay voyeur femdom .mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\bukkake big traffic .avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\american cumshot horse catfight glans .avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\lingerie uncut (Jade).rar.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\trambling public cock sm .mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\indian handjob sperm big glans 40+ (Tatjana).mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\beast voyeur (Sylvia).zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Program Files\Common Files\Microsoft Shared\italian horse horse catfight (Sarah).zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\horse lesbian .zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\russian horse sperm licking .rar.exe	02ae468baf7d023d36af015c86a477a9.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\fucking girls hole traffic (Melissa).zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\handjob blowjob hot (!) high heels .avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\italian gang bang gay licking (Samantha).mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\asian horse uncut feet leather .mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\indian porn lesbian sleeping glans .avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\hardcore hidden granny (Sonja,Tatjana).mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\porn fucking licking blondie (Britney,Curtney).avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\horse trambling [bangbus] swallow .rar.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\nude xxx big (Tatjana).mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\blowjob hidden .mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\trambling catfight titts .zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\african horse masturbation hole latex .avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\trambling masturbation bedroom .mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\cumshot sperm hot (!) hole circumcision .mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\SoftwareDistribution\Download\black action gay masturbation sweet .mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\black gang bang sperm [milf] 40+ .zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\japanese animal horse public cock stockings (Sylvia).mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\chinese lesbian sleeping 40+ .rar.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\canadian gay several models ash .mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\xxx hot (!) black hairunshaved (Anniston,Karin).zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\asian trambling hot (!) feet .mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\beastiality beast hidden beautyfull .avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\Downloaded Program Files\swedish beastiality lingerie [bangbus] (Sarah).mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\italian horse sperm masturbation glans .rar.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\asian fucking hot (!) YEâPSè& .zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\russian horse blowjob full movie hole ash (Samantha).avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\italian kicking fucking big bedroom .mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\tyrkish beastiality sperm lesbian .zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\french lingerie sleeping penetration .mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\beast masturbation .zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\asian xxx big .avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\horse horse catfight (Janette).rar.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\PLA\Templates\brasilian nude hardcore several models balls .zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\security\templates\swedish porn hardcore lesbian glans (Kathrin,Karin).avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\japanese handjob blowjob [milf] hole bedroom .mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\cumshot fucking catfight cock .mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\porn hardcore sleeping feet penetration .mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\horse hidden cock redhair (Samantha).zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\animal blowjob voyeur .avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\black nude lingerie voyeur pregnant .zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\InstallTemp\fetish hardcore [bangbus] feet girly (Tatjana).zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\chinese blowjob [milf] .rar.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\italian fetish beast voyeur titts femdom .avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\sperm catfight glans penetration (Liz).mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\swedish kicking bukkake public feet mature (Liz).mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\brasilian horse sperm sleeping shoes (Anniston,Curtney).zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\blowjob catfight glans .zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\swedish kicking bukkake full movie titts shoes .mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\norwegian lingerie licking beautyfull .zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\assembly\temp\black animal sperm uncut titts young (Samantha).mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\japanese gang bang fucking sleeping sm .mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\british trambling girls 40+ (Britney,Sylvia).mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\spanish trambling masturbation stockings .avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\french bukkake masturbation titts ejaculation (Janette).mpeg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\indian kicking hardcore girls feet .rar.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\swedish fetish beast big hole .rar.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\horse licking glans circumcision (Sarah).mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\blowjob hidden .avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\asian lesbian catfight latex .zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\indian gang bang beast hidden (Tatjana).avi.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\swedish kicking sperm voyeur femdom .zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\spanish bukkake masturbation cock .zip.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\african xxx [bangbus] bedroom .mpg.exe	02ae468baf7d023d36af015c86a477a9.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\nude fucking girls (Samantha).avi.exe	02ae468baf7d023d36af015c86a477a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1284	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe
2732	02ae468baf7d023d36af015c86a477a9.exe
2532	02ae468baf7d023d36af015c86a477a9.exe
1284	02ae468baf7d023d36af015c86a477a9.exe
2480	02ae468baf7d023d36af015c86a477a9.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2532	1284	02ae468baf7d023d36af015c86a477a9.exe	28
PID 1284 wrote to memory of 2532	1284	02ae468baf7d023d36af015c86a477a9.exe	28
PID 1284 wrote to memory of 2532	1284	02ae468baf7d023d36af015c86a477a9.exe	28
PID 1284 wrote to memory of 2532	1284	02ae468baf7d023d36af015c86a477a9.exe	28
PID 1284 wrote to memory of 2480	1284	02ae468baf7d023d36af015c86a477a9.exe	30
PID 1284 wrote to memory of 2480	1284	02ae468baf7d023d36af015c86a477a9.exe	30
PID 1284 wrote to memory of 2480	1284	02ae468baf7d023d36af015c86a477a9.exe	30
PID 1284 wrote to memory of 2480	1284	02ae468baf7d023d36af015c86a477a9.exe	30
PID 2532 wrote to memory of 2732	2532	02ae468baf7d023d36af015c86a477a9.exe	29
PID 2532 wrote to memory of 2732	2532	02ae468baf7d023d36af015c86a477a9.exe	29
PID 2532 wrote to memory of 2732	2532	02ae468baf7d023d36af015c86a477a9.exe	29
PID 2532 wrote to memory of 2732	2532	02ae468baf7d023d36af015c86a477a9.exe	29

C:\Users\Admin\AppData\Local\Temp\02ae468baf7d023d36af015c86a477a9.exe
"C:\Users\Admin\AppData\Local\Temp\02ae468baf7d023d36af015c86a477a9.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\02ae468baf7d023d36af015c86a477a9.exe
  "C:\Users\Admin\AppData\Local\Temp\02ae468baf7d023d36af015c86a477a9.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\02ae468baf7d023d36af015c86a477a9.exe
    "C:\Users\Admin\AppData\Local\Temp\02ae468baf7d023d36af015c86a477a9.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\02ae468baf7d023d36af015c86a477a9.exe
  "C:\Users\Admin\AppData\Local\Temp\02ae468baf7d023d36af015c86a477a9.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\russian horse sperm licking .rar.exe

Filesize
1.9MB

MD5
9c9937a04c7d6efe56380148a6d7e0be

SHA1
99c1a2fc9398bd0155552f3aa3e34c3272eba201

SHA256
9c775dbb735e448b2e6e680f48c45ac2fef53a0c6579bb26266ca92730f79286

SHA512
a851383d7ec7f56f343554d313f7dbfb13b6f5bcf81d51d043438a07776bb88b6e1be1722fefb7ad5ec0c4d3370fbf0b77a23b6798b1a30452315e445e843f43

Download Submit
memory/1284-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1284-12-0x00000000047C0000-0x00000000047DC000-memory.dmp

Filesize
112KB

Download
memory/1284-53-0x00000000047D0000-0x00000000047EC000-memory.dmp

Filesize
112KB

Download
memory/1284-91-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1284-92-0x00000000047C0000-0x00000000047DC000-memory.dmp

Filesize
112KB

Download
memory/1284-98-0x00000000047D0000-0x00000000047EC000-memory.dmp

Filesize
112KB

Download
memory/2532-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2532-52-0x0000000004900000-0x000000000491C000-memory.dmp

Filesize
112KB

Download
memory/2532-95-0x0000000004900000-0x000000000491C000-memory.dmp

Filesize
112KB

Download