2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
Size

2.0MB
MD5

f8aa8241a5b1f06d36c10aa06098aeaa
SHA1

349f4ba35e552f3763c3264155df50fe2f28390e
SHA256

2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998
SHA512

8b8bf7e79a5dd956dc6e2fc00854acc11c129d44be939cfa1d71b7eddab739fbb84f3267597b64ec9cce7e2c3efe39360295415dc3498956beff08dec91d24fc
SSDEEP

49152:C9G+HROQ/ngZYOop+qNiAImS9J+aDxeWr0y6ZnT:W3PjOjeXS9U0ey6ZT

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\V:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\Y:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\J:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\K:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\L:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\Q:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\R:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\T:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\A:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\B:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\G:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\H:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\N:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\O:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\S:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\Z:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\E:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\I:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\M:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\U:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\W:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File opened (read-only)	\??\X:	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\shared\fucking [free] hole sweet .rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\SysWOW64\config\systemprofile\blowjob girls hotel (Ashley,Sylvia).mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\danish beastiality beast [bangbus] hole .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\System32\DriverStore\Temp\danish animal horse licking cock .rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\SysWOW64\IME\shared\lingerie licking sweet .rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\xxx licking (Liz).mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\american animal lesbian several models cock fishy .mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\SysWOW64\FxsTmp\lesbian catfight feet .rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\SysWOW64\FxsTmp\danish nude blowjob sleeping sweet .rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\SysWOW64\config\systemprofile\american handjob xxx public titts penetration (Karin).mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\brasilian gang bang horse masturbation .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\bukkake licking glans .mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\american horse sperm catfight balls (Sonja,Liz).mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\sperm catfight cock young .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Program Files\Common Files\Microsoft Shared\brasilian fetish horse catfight redhair (Kathrin,Liz).zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Program Files\Windows Journal\Templates\brasilian horse trambling sleeping cock 50+ .zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\indian action bukkake voyeur YEâPSè& .avi.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\sperm masturbation .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\bukkake [bangbus] glans (Britney,Sylvia).avi.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Program Files (x86)\Google\Temp\xxx masturbation cock blondie (Liz).avi.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\japanese beastiality xxx girls .rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\swedish fetish beast [free] hole castration .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\american animal hardcore licking hole swallow .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\indian gang bang blowjob uncut hole high heels .avi.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Program Files (x86)\Google\Update\Download\horse full movie feet .avi.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\asian xxx masturbation .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\beast hot (!) .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\british blowjob hot (!) (Melissa).mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\swedish porn trambling hidden cock blondie (Janette).mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\mssrv.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\cum blowjob several models .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\action fucking catfight castration .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\porn beast full movie hole high heels .avi.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\lesbian sleeping .avi.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\hardcore hot (!) .rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\danish beastiality horse licking (Sylvia).mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\fetish horse several models hole .zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\gang bang xxx masturbation (Melissa).mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\porn lesbian public hotel .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\bukkake several models .mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\black nude hardcore lesbian hole girly (Jade).mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\horse bukkake masturbation bedroom .zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\gay lesbian (Tatjana).avi.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\swedish gang bang sperm catfight feet (Anniston,Liz).rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\japanese animal lingerie hidden latex .zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\fetish hardcore public hole .mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\black cum gay catfight .zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\Temp\black horse trambling hidden glans shoes .avi.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\nude lingerie [bangbus] feet shoes .avi.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\spanish fucking hot (!) granny (Christine,Sarah).zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\russian porn gay sleeping hole balls .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\assembly\tmp\fucking [milf] girly .rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\kicking sperm sleeping .mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\brasilian gang bang beast uncut (Sylvia).zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\brasilian fetish trambling hot (!) penetration .mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\porn lingerie [bangbus] .mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\african lingerie full movie hole gorgeoushorny .zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\british lingerie hidden glans .zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\lingerie [milf] titts femdom (Janette).zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\norwegian lingerie [bangbus] cock .mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\fetish sperm [bangbus] .avi.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\lingerie uncut .rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\horse bukkake sleeping penetration .rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\beastiality fucking masturbation titts (Gina,Janette).mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\lingerie public glans .mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\chinese lingerie hot (!) balls .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\handjob lesbian [bangbus] feet hairy .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\italian gang bang horse uncut .zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\assembly\temp\horse [milf] redhair .mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\hardcore sleeping girly .avi.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\danish porn fucking full movie boots .mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\tyrkish kicking trambling lesbian feet .zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\InstallTemp\brasilian nude blowjob catfight balls .zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\handjob trambling several models sm .mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\british bukkake lesbian shower .avi.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\beast lesbian wifey .zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\kicking lesbian hidden YEâPSè& .rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\blowjob lesbian upskirt .rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\british lingerie voyeur hole .zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\security\templates\xxx hidden YEâPSè& .zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\russian gang bang sperm licking swallow (Gina,Janette).mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\tyrkish cumshot horse [milf] stockings .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\PLA\Templates\black porn hardcore [free] (Curtney).avi.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\action xxx public .mpg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\tyrkish gang bang fucking masturbation leather .rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\lesbian [bangbus] cock (Gina,Sarah).mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\danish action trambling lesbian (Melissa).mpeg.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\japanese gang bang xxx [bangbus] YEâPSè& .rar.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\action lesbian [milf] (Janette).zip.exe	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2936	2060	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
1852	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2380	2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe	28
PID 2060 wrote to memory of 2380	2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe	28
PID 2060 wrote to memory of 2380	2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe	28
PID 2060 wrote to memory of 2380	2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe	28
PID 2380 wrote to memory of 1852	2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe	29
PID 2380 wrote to memory of 1852	2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe	29
PID 2380 wrote to memory of 1852	2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe	29
PID 2380 wrote to memory of 1852	2380	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe	29
PID 2060 wrote to memory of 2936	2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe	30
PID 2060 wrote to memory of 2936	2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe	30
PID 2060 wrote to memory of 2936	2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe	30
PID 2060 wrote to memory of 2936	2060	2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe	30

C:\Users\Admin\AppData\Local\Temp\2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
"C:\Users\Admin\AppData\Local\Temp\2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
  "C:\Users\Admin\AppData\Local\Temp\2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Users\Admin\AppData\Local\Temp\2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe
    "C:\Users\Admin\AppData\Local\Temp\2fcf6fe837b6364d1fee9a5571705eed8e4cf67e34068aeb0bf435b374525998.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 356
  2⤵
  - Program crash
  PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\bukkake licking glans .mpeg.exe

Filesize
1.7MB

MD5
9a037723ad1a949abddd42477cffaac6

SHA1
a679f8bfb076ef51bcd1a78eef48ae572604b2ba

SHA256
089de41cd6d47351d8a3c00b5942b6aef91c3456783cbd389550e387d04d1579

SHA512
03c4e3a62de57497c2252a083bcd9cfa6649d677827c216ab8321dd73ca1cc5a747937394b49fca384668026d74618bd2c984ee7250e6b79b7f39dd57e54244c

Download Submit
C:\debug.txt

Filesize
183B

MD5
01b421c710fa82861aafd3a810fb0d71

SHA1
8af4aec7d9e035f786487133fa3a6181bf7e5dcc

SHA256
3131cbf8a140e7f6031aeda374e433a3c154e79e17d7d6779e3731dc6bcadd7b

SHA512
71d3bee3f49aa45bde2ac25366ed5953de43c30ff731c8fc8b0a24d3ed9fba82c76e6b6389f4d6f77758ea619ffb5f788d5a303f2bf7c87ae19949195e527dd6

Download Submit