2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985

General

Target

2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
Size

1.9MB
MD5

d1e4373cc1626454e2620772060dc927
SHA1

0896212c534e570a86e2306dd3da00cc3027de80
SHA256

2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985
SHA512

eaaf2585bd0a32cbf435a979f7f5b4ca09807899d848a9e9f5499f73d84dfcf55718b917ad9d3cad0b5856ced137e3d2c74b8736aa048985562158283c0991bb
SSDEEP

49152:Mfz3An7ikIMch3VT0osQkrIVOm/8UVMViWCibytNX25:0k/2hZ0YkQHVHgen25

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3048-86-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2568-87-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2452-88-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/2472-89-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3048-90-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3048-92-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3048-97-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3048-101-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3048-115-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3048-119-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3048-123-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3048-127-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3048-133-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3048-137-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3048-141-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3048-145-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3048-149-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral1/memory/3048-153-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3048-0-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
C:\Program Files\Windows Sidebar\Shared Gadgets\hardcore uncut cock bondage .zip.exe	UPX
behavioral1/memory/3048-86-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2568-87-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2452-88-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/2472-89-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/3048-90-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/3048-92-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/3048-97-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/3048-101-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/3048-115-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/3048-119-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/3048-123-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/3048-127-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/3048-133-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/3048-137-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/3048-141-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/3048-145-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/3048-149-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral1/memory/3048-153-0x0000000000400000-0x000000000041E000-memory.dmp	UPX

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3048-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
C:\Program Files\Windows Sidebar\Shared Gadgets\hardcore uncut cock bondage .zip.exe	upx
behavioral1/memory/3048-86-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2568-87-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2452-88-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/2472-89-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3048-90-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3048-92-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3048-97-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3048-101-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3048-115-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3048-119-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3048-123-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3048-127-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3048-133-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3048-137-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3048-141-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3048-145-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3048-149-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral1/memory/3048-153-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe

description	ioc	process
File opened (read-only)	\??\B:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\H:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\M:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\P:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\S:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\A:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\J:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\L:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\N:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\Q:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\R:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\U:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\Z:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\G:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\K:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\V:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\W:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\E:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\I:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\O:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\T:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\X:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File opened (read-only)	\??\Y:	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe

Drops file in System32 directory 10 IoCs

Processes:

2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe

description	ioc	process
File created	C:\Windows\SysWOW64\FxsTmp\hardcore licking (Tatjana).avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\trambling [bangbus] hotel .rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\System32\DriverStore\Temp\japanese animal bukkake girls latex .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\SysWOW64\IME\shared\trambling [free] hairy (Sonja,Tatjana).zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\black beastiality horse voyeur lady .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\black porn lingerie [free] cock .mpeg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\SysWOW64\config\systemprofile\beast girls cock stockings .avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\SysWOW64\FxsTmp\japanese horse bukkake hidden titts .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\SysWOW64\config\systemprofile\tyrkish gang bang beast full movie glans sm (Janette).mpeg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\SysWOW64\IME\shared\sperm hidden stockings .mpeg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe

Drops file in Program Files directory 15 IoCs

Processes:

2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe

description	ioc	process
File created	C:\Program Files\Windows Journal\Templates\gay [milf] cock hotel .rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\japanese animal bukkake public titts .mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\hardcore hidden upskirt (Jenna,Liz).zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Program Files\Common Files\Microsoft Shared\japanese kicking lesbian [milf] (Jade).avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Program Files\DVD Maker\Shared\xxx sleeping .mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\gay full movie feet hotel (Tatjana).rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\beast girls 40+ .avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\beast sleeping feet .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\black animal xxx sleeping penetration .mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\brasilian beastiality lesbian lesbian cock pregnant .avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\hardcore uncut cock bondage .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Program Files (x86)\Google\Temp\beast [milf] balls .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Program Files (x86)\Google\Update\Download\danish gang bang lesbian masturbation high heels (Sandy,Jade).zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\trambling lesbian hole bondage (Liz).rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\swedish beastiality lingerie public titts .avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe

Drops file in Windows directory 64 IoCs

Processes:

2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe

description	ioc	process
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\kicking beast lesbian traffic .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\japanese animal blowjob hot (!) .rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\kicking bukkake licking hotel .avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\assembly\temp\russian porn trambling sleeping feet mature (Liz).mpeg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\porn lesbian lesbian upskirt .avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\russian cum hardcore lesbian feet pregnant (Melissa).zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\beastiality trambling [milf] feet 50+ (Janette).rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\xxx licking shower .mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\handjob horse [bangbus] glans (Ashley,Liz).zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\chinese trambling several models ejaculation .mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\african sperm big feet .rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\african beast masturbation glans ash .mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\danish porn xxx sleeping titts .avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\swedish kicking trambling voyeur hole 50+ (Tatjana).mpeg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\blowjob girls .avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\japanese kicking horse full movie (Liz).rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\action trambling public girly .avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\norwegian lesbian big cock .avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\brasilian beastiality trambling big latex .rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\italian kicking horse catfight black hairunshaved .rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\lingerie licking blondie .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\brasilian nude bukkake [bangbus] titts (Christine,Melissa).rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\gang bang hardcore lesbian hole blondie (Janette).zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\canadian lesbian hot (!) titts sm .rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\asian gay sleeping glans 40+ .avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\lesbian masturbation redhair .mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\PLA\Templates\lesbian public feet YEâPSè& (Janette).rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\chinese beast big castration (Sonja,Liz).mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\Temp\italian animal bukkake [bangbus] glans .mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\african gay public cock .rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\lingerie several models traffic .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\xxx sleeping .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\beastiality trambling big titts balls (Tatjana).mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\gang bang bukkake [bangbus] .avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\asian gay [bangbus] glans black hairunshaved .mpeg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\porn sperm masturbation titts sm .mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\sperm [milf] mature .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\sperm [bangbus] upskirt .mpeg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\trambling full movie cock granny .mpeg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\Downloaded Program Files\fucking catfight glans circumcision (Tatjana).mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\japanese handjob lesbian full movie cock bondage (Tatjana).mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\brasilian beastiality lesbian several models (Liz).rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\lesbian hidden (Karin).rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\malaysia xxx lesbian swallow .avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\danish gang bang trambling catfight .mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\indian cumshot fucking hot (!) wifey .mpeg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\african beast [bangbus] high heels .mpeg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\lingerie hidden feet high heels .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\horse sleeping feet .mpeg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\norwegian bukkake [free] (Janette).rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\canadian blowjob lesbian castration .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\cumshot bukkake public wifey .rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\canadian bukkake several models glans blondie .avi.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\cumshot gay [milf] leather .mpg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\cum beast voyeur feet ìï .rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\indian handjob sperm public castration .mpeg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\malaysia hardcore several models femdom .rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\hardcore [milf] titts mistress .rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\japanese beastiality horse big glans hotel .mpeg.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\swedish kicking fucking licking YEâPSè& .rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\sperm licking glans .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\mssrv.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\brasilian porn beast [milf] ejaculation .zip.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\fucking uncut .rar.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe

pid	process
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2472	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
2452	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe

description	pid	process	target process
PID 3048 wrote to memory of 2568	3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
PID 3048 wrote to memory of 2568	3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
PID 3048 wrote to memory of 2568	3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
PID 3048 wrote to memory of 2568	3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
PID 2568 wrote to memory of 2452	2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
PID 2568 wrote to memory of 2452	2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
PID 2568 wrote to memory of 2452	2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
PID 2568 wrote to memory of 2452	2568	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
PID 3048 wrote to memory of 2472	3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
PID 3048 wrote to memory of 2472	3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
PID 3048 wrote to memory of 2472	3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
PID 3048 wrote to memory of 2472	3048	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe	2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe

C:\Users\Admin\AppData\Local\Temp\2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
"C:\Users\Admin\AppData\Local\Temp\2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
"C:\Users\Admin\AppData\Local\Temp\2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\AppData\Local\Temp\2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
"C:\Users\Admin\AppData\Local\Temp\2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2452

C:\Users\Admin\AppData\Local\Temp\2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe
"C:\Users\Admin\AppData\Local\Temp\2c87857992f01251dbc651688d1fa470b3e72c1951009e297c4a611247c61985.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2472

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\hardcore uncut cock bondage .zip.exe
Filesize
1.8MB

MD5
b2c873bb34f9905f6a9528648755d03a

SHA1
e9d4ead01126520cced6c4e2b0c368a2fc16a512

SHA256
802bbff875908b873b964d8fe6f838a387448eaeb8acb958c7b77adf2d4cc5aa

SHA512
2e200cf1f386220b4524978944128ecf284a453eb0fb6ceb9c1bf2a5d6f091241f8d536acff65709eed2a4777022e9729117a34aa3ed8e75a4ecb2ca816c041f

Download Submit
C:\debug.txt
Filesize
183B

MD5
737e3eff8ac7a0fb5507c14c8a86e0cf

SHA1
ec1a438ec12930ddb9c8ef769f093839e7ee74d9

SHA256
ecde277526cf55f86960edc3af0d6bd6075af1f7f1d7f3c6c7bcb2ea482f5700

SHA512
67b3f59b252ab2c6df9ee0fb6a5d255a835eb680b14d735f06a082e2611ddf245449e5d1f85fcb97dd5d092e512b287689ac2080f2a80682147d3d9c28e4734b

Download Submit
memory/2452-88-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2472-89-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2568-87-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-101-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-123-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-91-0x0000000001FE0000-0x0000000001FFE000-memory.dmp

Filesize
120KB

Download
memory/3048-92-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-97-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-86-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-115-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-119-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-90-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-127-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-133-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-137-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-141-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-145-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-149-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3048-153-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads