2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
Size

392KB
MD5

407025b0442dad02fabd9a7f835f66d0
SHA1

bcdfc1264cb7b364c69bc8ff63708dc3004c817d
SHA256

2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1
SHA512

d3b840338322524cc68afc91ec78aeecb5b77723513752e0a72152e1e66f6d00bb46c3f24a943effc682f88b731aa60b718e00d80adbe464c5f362e235b7498f
SSDEEP

12288:dXCNi9Bg5li3LkIcM4CBazPKLb368arfm5UYCO:oWgeorjEO8Um5UYp

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\L:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\O:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\S:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\M:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\N:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\Q:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\R:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\G:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\I:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\K:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\W:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\Y:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\A:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\B:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\H:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\T:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\U:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\V:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\Z:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\E:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\J:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File opened (read-only)	\??\P:	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\swedish beastiality trambling girls feet black hairunshaved (Jade).avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\gay masturbation stockings .rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\System32\DriverStore\Temp\danish action beast uncut cock balls .mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\SysWOW64\IME\shared\bukkake [free] glans lady (Janette).rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse voyeur glans stockings .zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\SysWOW64\FxsTmp\japanese porn blowjob catfight cock .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\SysWOW64\FxsTmp\canadian hardcore [bangbus] glans hotel (Karin).rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\brasilian nude horse voyeur feet .rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian porn sperm full movie glans .rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\SysWOW64\IME\shared\blowjob public hole shower .avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\japanese kicking trambling big circumcision .mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Program Files (x86)\Google\Update\Download\black nude sperm lesbian feet stockings (Liz).zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\danish fetish sperm [milf] glans fishy .avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\black handjob horse hot (!) glans black hairunshaved .rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\italian porn hardcore several models cock .mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\japanese fetish fucking [bangbus] shower .zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\tyrkish horse lesbian public .rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\danish horse blowjob public (Melissa).zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Program Files\DVD Maker\Shared\black nude beast hot (!) .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\lingerie [milf] cock femdom .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\trambling catfight feet (Sonja,Sarah).avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\xxx several models glans young .avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Program Files\Common Files\Microsoft Shared\lingerie public upskirt (Kathrin,Janette).zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Program Files\Windows Journal\Templates\bukkake masturbation .zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\american nude gay [free] feet circumcision .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\xxx full movie wifey .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\hardcore big femdom .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\tyrkish nude lingerie several models ash .zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\lesbian [bangbus] shoes .zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish action horse public glans .mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\xxx full movie feet .avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\asian lesbian lesbian cock .mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\blowjob hot (!) ash .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\spanish sperm hidden (Sylvia).mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\african hardcore [milf] lady .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\hardcore public .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\Downloaded Program Files\lingerie girls .zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\trambling [free] glans femdom (Karin).avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\gang bang gay voyeur .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\security\templates\russian horse sperm full movie feet swallow (Jade).zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\beast licking ìï .avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\tyrkish porn beast voyeur pregnant (Kathrin,Tatjana).rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\fucking [free] glans .rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\assembly\tmp\trambling uncut (Melissa).mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\british blowjob lesbian hole swallow (Tatjana).mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\malaysia blowjob hidden ejaculation .zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\american cumshot xxx uncut ejaculation .mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\gay licking .mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\PLA\Templates\russian nude bukkake hidden bondage .avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\african horse catfight .zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\black nude sperm voyeur young .avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\american porn horse catfight 50+ .mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\beast hot (!) .avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\gang bang beast masturbation hole (Jenna,Karin).mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\brasilian handjob gay hidden .rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\beast masturbation circumcision .rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\beastiality beast [bangbus] (Jade).mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\norwegian lesbian [bangbus] glans circumcision .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\spanish fucking voyeur titts wifey .rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\canadian hardcore full movie stockings (Ashley,Curtney).mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\SoftwareDistribution\Download\italian horse xxx big titts .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\brasilian cum gay voyeur sweet .avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\russian animal horse big bondage .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\cum lesbian voyeur .rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\animal lesbian big black hairunshaved (Christine,Janette).avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\indian action beast licking .rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\norwegian lingerie [bangbus] .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\brasilian gang bang sperm voyeur stockings .zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\french horse hidden hole gorgeoushorny .mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\beast [bangbus] cock .mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\swedish cum lesbian [free] .rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\animal sperm lesbian (Liz).mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\norwegian fucking [bangbus] glans stockings (Sylvia).avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\french lesbian masturbation cock 50+ (Janette).zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\beast [milf] balls .rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\porn lesbian licking bedroom (Sonja,Karin).mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\canadian beast masturbation shower .avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\handjob hardcore full movie .zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\blowjob voyeur hairy (Kathrin,Jade).mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\russian kicking fucking licking (Melissa).rar.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\british hardcore catfight shower .zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\blowjob [milf] hole (Sonja,Sarah).mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\InstallTemp\black kicking xxx [bangbus] hairy .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\gay [free] (Janette).avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\american gang bang fucking [bangbus] glans .avi.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\horse hardcore hidden latex .zip.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\horse licking .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\american porn beast [milf] latex .mpeg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\italian fetish gay hidden stockings .mpg.exe	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
2912	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2748	2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe	30
PID 2848 wrote to memory of 2748	2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe	30
PID 2848 wrote to memory of 2748	2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe	30
PID 2848 wrote to memory of 2748	2848	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe	30
PID 2748 wrote to memory of 2912	2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe	31
PID 2748 wrote to memory of 2912	2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe	31
PID 2748 wrote to memory of 2912	2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe	31
PID 2748 wrote to memory of 2912	2748	2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe	31

C:\Users\Admin\AppData\Local\Temp\2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
"C:\Users\Admin\AppData\Local\Temp\2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Users\Admin\AppData\Local\Temp\2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
  "C:\Users\Admin\AppData\Local\Temp\2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Users\Admin\AppData\Local\Temp\2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe
    "C:\Users\Admin\AppData\Local\Temp\2fc90d54e037126a73c8065f847fd77de73dfb0c7150f1ddbee7e6016e9bbfc1.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\italian porn hardcore several models cock .mpeg.exe

Filesize
1.8MB

MD5
f98cdd4cd0b2ff07129a123e3ed8a203

SHA1
a7486511c9224cdacb8d85992954708e12058dc5

SHA256
6f2ce8a14d65bcad1771fcc788e12b11bef5d792039acb5af859a23306639c82

SHA512
1961d6a30dcfe4927aa9ad1935b824b7093b56aee165032843c3ae2a10ae15fb7523bfdf24b83a5535c0f8b79cf0d7cc4426b4c3adbaaf9d62ce5f2f2da38581

Download Submit
C:\debug.txt

Filesize
183B

MD5
5c627c7d01967c53e2fecda87c15202d

SHA1
c7ec10c7876034025c750222f6e6f1f920488e83

SHA256
e7b9066f8bf3d0eefda9627cfec5934be24e5cba5f0a0894863a562c9d5426f1

SHA512
8915f5daae18ba155bf7ef0c0eede5dd346c0128cb9fcba3ab44746e68e55fbb608527b0095abe8a34520eede12a8542c85ba4acc3a4ecab6934a56fff2aa691

Download Submit
memory/2748-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2748-66-0x0000000004D20000-0x0000000004D4B000-memory.dmp

Filesize
172KB

Download
memory/2848-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2848-31-0x0000000004CD0000-0x0000000004CFB000-memory.dmp

Filesize
172KB

Download