2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5

General

Target

2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
Size

1.7MB
MD5

d058a71049695735805496016365d51a
SHA1

e27aeba42a29ce29ab654e462a5450970ee84290
SHA256

2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5
SHA512

eb43325f5b1de7667d5e461294b5eb835960534399bd7267792cc63fbcd104b207dfad86815c8cd8e6dcb7330585fd352ec9cfead131d3d0ff963d0697e7dac2
SSDEEP

49152:XEMC7h36RFaLZ1ybswvTIpjtEA9UoMzPjz:XPFaKIpJERzPjz

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4384-95-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2352-168-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1380-194-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4384-199-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2776-200-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2352-201-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1380-0-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\hardcore masturbation (Jade).mpg.exe	UPX
behavioral2/memory/4384-95-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2776-167-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2352-168-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/1380-194-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/4384-199-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2776-200-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2352-201-0x0000000000400000-0x000000000041E000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1380-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\hardcore masturbation (Jade).mpg.exe	upx
behavioral2/memory/4384-95-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2776-167-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2352-168-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1380-194-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/4384-199-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2776-200-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2352-201-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

description	ioc	process
File opened (read-only)	\??\Q:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\R:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\T:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\V:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\X:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\G:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\P:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\L:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\M:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\O:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\S:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\Y:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\H:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\J:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\W:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\B:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\I:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\K:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\N:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\U:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\Z:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\A:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File opened (read-only)	\??\E:	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

Drops file in System32 directory 12 IoCs

Processes:

2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\horse catfight girly (Jenna,Melissa).mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\SysWOW64\IME\SHARED\blowjob catfight pregnant (Sonja,Jade).mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\blowjob hot (!) cock fishy (Janette).rar.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\SysWOW64\IME\SHARED\indian nude xxx several models cock traffic .rar.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black fetish hardcore catfight swallow .avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\System32\DriverStore\Temp\brasilian horse hardcore girls feet 40+ .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\SysWOW64\FxsTmp\fetish bukkake masturbation upskirt .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\lesbian several models sweet .mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\blowjob voyeur .avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse hot (!) castration .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\SysWOW64\FxsTmp\horse big cock .rar.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\lingerie licking cock .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

Drops file in Program Files directory 17 IoCs

Processes:

2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

description	ioc	process
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\fucking [milf] boots .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\hardcore masturbation (Jade).mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files (x86)\Google\Update\Download\tyrkish handjob fucking voyeur black hairunshaved .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\beast uncut titts .mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\indian porn hardcore [free] glans balls .rar.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\lesbian sleeping ejaculation .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\lingerie catfight pregnant .avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files (x86)\Google\Temp\lingerie several models fishy .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\lingerie masturbation .mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\indian horse hardcore girls beautyfull .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files\Common Files\microsoft shared\swedish nude lingerie sleeping .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files\dotnet\shared\xxx full movie cock (Sonja,Karin).avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files\Microsoft Office\root\Templates\blowjob [bangbus] ¼ë (Gina,Curtney).rar.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\porn fucking public sweet .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\beast sleeping femdom .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\japanese cum beast hidden balls .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\indian fetish beast public titts bondage .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

Drops file in Windows directory 64 IoCs

Processes:

2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

description	ioc	process
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\swedish nude sperm [bangbus] sweet .rar.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\xxx catfight titts femdom (Liz).mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\american cumshot sperm girls lady .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\canadian hardcore public .avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\russian nude hardcore lesbian blondie .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\horse sperm [milf] feet pregnant .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\black action trambling uncut stockings (Anniston,Samantha).mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\cum lesbian voyeur ash .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\russian beastiality trambling full movie .mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\cum blowjob full movie .rar.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\african trambling hidden cock .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\porn lesbian sleeping shower (Jenna,Curtney).avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\blowjob several models .mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\malaysia lesbian uncut cock (Britney,Samantha).mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\lingerie catfight 40+ .avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\lesbian catfight cock femdom (Liz).mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\tyrkish nude hardcore uncut (Liz).mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\gay [milf] penetration .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\tyrkish action sperm voyeur 50+ .avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\british blowjob full movie .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\brasilian action fucking several models .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\canadian xxx hidden titts wifey (Samantha).mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\german fucking voyeur hole ejaculation (Tatjana).zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\danish cumshot bukkake masturbation castration .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\kicking gay girls YEâPSè& .rar.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\black handjob trambling sleeping mature (Kathrin,Sarah).avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\lesbian hidden hole .avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\indian animal xxx several models young (Ashley,Sylvia).avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\gang bang gay [bangbus] Ôï .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\gay girls wifey (Sonja,Karin).mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\Downloaded Program Files\lesbian full movie (Samantha).rar.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\italian porn blowjob girls glans shower (Samantha).mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\russian gang bang lesbian full movie .mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\asian xxx full movie cock bedroom (Liz).mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\horse [milf] hole blondie .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\animal beast catfight shower .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\japanese cum fucking hidden titts (Christine,Liz).avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\cum gay hidden cock sweet .avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\horse catfight latex .avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\animal fucking masturbation 50+ .avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\animal sperm lesbian beautyfull .mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\tyrkish kicking hardcore lesbian shower .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\nude hardcore public .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\black beastiality lesbian voyeur young .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\indian handjob horse [bangbus] glans .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\french lesbian hot (!) .mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\german horse catfight cock (Anniston,Sylvia).rar.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\danish porn gay [bangbus] hole .mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\french gay [milf] glans (Kathrin,Curtney).mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\beastiality trambling masturbation wifey .rar.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\trambling several models titts high heels .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\mssrv.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\xxx voyeur pregnant .mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\danish cum beast [bangbus] bedroom (Sandy,Sylvia).avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\cum lingerie licking feet .mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\cum bukkake girls balls .mpeg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\african gay lesbian titts shower .avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\assembly\temp\trambling [milf] titts .rar.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\cumshot bukkake catfight glans shower .rar.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\indian gang bang blowjob [milf] swallow (Anniston,Tatjana).mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\french gay licking glans .mpg.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\action lesbian hot (!) titts .zip.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\german lesbian masturbation (Janette).avi.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\tyrkish cum horse hidden wifey .rar.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

pid	process
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2352	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2352	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2352	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2352	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2352	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2352	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2352	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2352	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2352	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2352	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2352	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2352	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2352	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2352	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
2776	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

description	pid	process	target process
PID 1380 wrote to memory of 4384	1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
PID 1380 wrote to memory of 4384	1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
PID 1380 wrote to memory of 4384	1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
PID 1380 wrote to memory of 2776	1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
PID 1380 wrote to memory of 2776	1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
PID 1380 wrote to memory of 2776	1380	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
PID 4384 wrote to memory of 2352	4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
PID 4384 wrote to memory of 2352	4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
PID 4384 wrote to memory of 2352	4384	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe	2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe

C:\Users\Admin\AppData\Local\Temp\2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
"C:\Users\Admin\AppData\Local\Temp\2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
"C:\Users\Admin\AppData\Local\Temp\2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4384

C:\Users\Admin\AppData\Local\Temp\2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
"C:\Users\Admin\AppData\Local\Temp\2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Users\Admin\AppData\Local\Temp\2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe
"C:\Users\Admin\AppData\Local\Temp\2509096d91434af26bfae615bfae80650079c7220bdcb0babd9713ef8a2514d5.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2776

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\hardcore masturbation (Jade).mpg.exe
Filesize
1.6MB

MD5
34c493bc2933610a9788a5d347e4122c

SHA1
662396276b4ec7b5885abff05460973cb38593fb

SHA256
c5f82992cdbc9e9e3c02fff58e8baf002fc27ea17f427604934c4ea8e9080587

SHA512
ccff81b931b18e436e1224251d824586225168bd500bd2db66246c4d6e4ad3a530915531334b9e7779220415fec09c54e725efa16669d92e4aa7d18fbdaa9749

Download Submit
memory/1380-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1380-194-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2352-168-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2352-201-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2776-167-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2776-200-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4384-95-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4384-199-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads