3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
Size

669KB
MD5

ea4cf97325f044e314e67b5187f91501
SHA1

14413b86f40e6f096196a73838df86d34ac9214d
SHA256

3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96
SHA512

296d010d977ab1600d5f54c03f917a90f2b1e06c8cbe168da45e57be64cb011b5bd49ae51e60893833c42af5d32f90274f94754a948c1660781740a68b023215
SSDEEP

12288:dXCNi9BvbVaco8XJ73rwRZRDy0WDGFg2d6mWAQOi3EN1sQwTL:oWvbVaj8Z7EW0rFDd6mWpOnN2Qwv

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\H:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\I:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\J:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\N:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\W:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\L:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\Q:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\X:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\Y:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\Z:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\A:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\B:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\E:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\K:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\O:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\R:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\S:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\V:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\M:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\P:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\T:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File opened (read-only)	\??\U:	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\FxsTmp\black porn sperm uncut feet young (Melissa).rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\SysWOW64\IME\shared\sperm masturbation ejaculation .mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\System32\DriverStore\Temp\danish cum beast big hairy .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\SysWOW64\FxsTmp\fucking [bangbus] sweet .rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\SysWOW64\IME\shared\bukkake lesbian .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\SysWOW64\config\systemprofile\american nude blowjob public glans redhair .mpg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\brasilian handjob blowjob uncut glans .zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\SysWOW64\config\systemprofile\beast several models glans circumcision (Sarah).mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian cum hardcore [free] feet traffic .zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\swedish beastiality lesbian girls hole .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\trambling [milf] titts mature .rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Program Files (x86)\Google\Update\Download\tyrkish cum blowjob full movie glans girly .mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\indian porn gay catfight sweet .mpg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\trambling hot (!) girly .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Program Files\Common Files\Microsoft Shared\horse [free] cock gorgeoushorny .zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Program Files\Windows Journal\Templates\blowjob lesbian cock .zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Program Files (x86)\Google\Temp\italian nude sperm hidden penetration .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\trambling [bangbus] hole .zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\hardcore uncut (Tatjana).avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\horse hidden bedroom .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\japanese kicking trambling sleeping .mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\brasilian horse sperm voyeur .mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\japanese cum bukkake [milf] (Curtney).zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Program Files\DVD Maker\Shared\sperm [milf] cock lady (Curtney).mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\fucking lesbian pregnant .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\hardcore public ash (Christine,Sarah).mpg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\british horse several models ìï (Sandy,Tatjana).rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\gay [milf] feet upskirt (Melissa).avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\japanese cum horse [milf] (Janette).zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\security\templates\fucking catfight bedroom (Gina,Samantha).zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\xxx licking titts .rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\african xxx several models .rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\beast catfight .zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\kicking xxx [free] traffic (Jenna,Liz).rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\brasilian nude sperm full movie bedroom .zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\horse gay full movie .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\russian porn beast masturbation titts femdom .mpg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\brasilian horse sperm sleeping cock young .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\black porn beast uncut leather (Gina,Janette).rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\danish nude lingerie girls (Sylvia).rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\cumshot xxx uncut granny .mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\cumshot hardcore full movie feet .mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\french sperm girls cock bedroom (Sarah).avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\british gay masturbation mistress .mpg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\animal beast [milf] femdom (Christine,Liz).mpg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\tyrkish nude fucking lesbian shoes .zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\german lingerie [bangbus] swallow .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\beast hot (!) titts granny (Janette).mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\african lesbian uncut .rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\norwegian horse masturbation shower (Jenna,Curtney).zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\cumshot trambling full movie mistress .zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\assembly\tmp\fucking hot (!) girly .zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\lingerie [bangbus] glans .rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\handjob sperm several models cock (Jenna,Tatjana).rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\british trambling several models glans ìï (Melissa).avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\xxx several models .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\assembly\temp\japanese gang bang sperm [milf] .rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\spanish hardcore big castration .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\bukkake lesbian glans lady .mpg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\cum trambling hot (!) (Sylvia).mpg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\hardcore uncut .rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\gay lesbian (Liz).rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\horse horse sleeping upskirt .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\bukkake lesbian black hairunshaved .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\gay lesbian .mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\lesbian catfight granny .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\black beastiality beast big girly .mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\cumshot lingerie hidden .zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\mssrv.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\japanese beastiality blowjob girls (Sarah).avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\indian fetish lingerie hot (!) feet pregnant (Jade).rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\InstallTemp\porn horse uncut circumcision .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\sperm sleeping femdom .mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\swedish fetish lingerie [milf] .mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\russian action bukkake hidden cock .rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\indian handjob lingerie girls feet .mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\gay girls titts .zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\fucking full movie 40+ (Gina,Karin).zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\black porn hardcore masturbation black hairunshaved .rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\lingerie [free] cock .rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\tyrkish gang bang hardcore sleeping young .zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\british lingerie uncut hole girly .zip.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\horse lesbian [milf] fishy .rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\italian fetish fucking [free] beautyfull .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\black nude fucking catfight leather .mpg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\Downloaded Program Files\russian nude fucking girls hairy .avi.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\american animal horse hot (!) hole hairy .rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\beast full movie (Karin).rar.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\lingerie girls ejaculation .mpeg.exe	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
564	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2584	2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe	30
PID 2624 wrote to memory of 2584	2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe	30
PID 2624 wrote to memory of 2584	2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe	30
PID 2624 wrote to memory of 2584	2624	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe	30
PID 2584 wrote to memory of 564	2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe	31
PID 2584 wrote to memory of 564	2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe	31
PID 2584 wrote to memory of 564	2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe	31
PID 2584 wrote to memory of 564	2584	3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe	31

C:\Users\Admin\AppData\Local\Temp\3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
"C:\Users\Admin\AppData\Local\Temp\3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
  "C:\Users\Admin\AppData\Local\Temp\3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe
    "C:\Users\Admin\AppData\Local\Temp\3c4121ce5b65c96a292021c2f9e61318469fcd74609e99bedbfd9778b635cb96.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\trambling [milf] titts mature .rar.exe

Filesize
1.7MB

MD5
1bdd1a7d667bab483c838c5c97b24a78

SHA1
2cde5e92ca0fda6ac1ae7bd042c92351f3e7ff82

SHA256
c724af5fbdf639ba83a46f4273e83d14bec472a050e2f2c0b18c3b80cba882d1

SHA512
ef739298b5a90b63eeeb9d929e0ce72647a297da0f85d0069390ac46092faae273aebdb33ccc7c3a0b984ab30f86a7d1672e8785654b196b556c471f6a5fb73d

Download Submit
C:\debug.txt

Filesize
183B

MD5
5dfcdffa9336696c640d23de145d7e20

SHA1
a9f13b70abd5a959a568bc0a1f7a7747491285bd

SHA256
71f6a85a94131e5df098ca6e2e5cc04b0138f16b7c34b297cb889f09fb510316

SHA512
06bb2c12551a8db607f4418f94f9bac2c07f49baf91533454e6b67ea433b44ede44e8820b04bde681c5d6e402b439e331767ed8b4056527abd8e449709edd19b

Download Submit
memory/2584-89-0x0000000004DE0000-0x0000000004E0B000-memory.dmp

Filesize
172KB

Download
memory/2624-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2624-77-0x00000000053A0000-0x00000000053CB000-memory.dmp

Filesize
172KB

Download