34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4

General

Target

34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
Size

1.9MB
MD5

22ba473e2677fa0949f632256a5ce217
SHA1

7e6ecfe3b1133df5b71b26441ee5ece71b8d3d7e
SHA256

34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4
SHA512

7d7b1ef573f36f04f7b426e96b172e4b2fa3ce320e3380acf8c4f7adfa6a2620d20453ff3d723654aaaf01d31783786d4b118ab575b71e6ac46e4bdcc110986e
SSDEEP

49152:VVXlktUaYMLK7gli+rFE5lq4i1oh4Jf7FN:VKYUi2NRevi164JzFN

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe

description	ioc	process
File opened (read-only)	\??\N:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\Q:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\U:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\V:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\Y:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\Z:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\J:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\G:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\T:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\W:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\A:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\H:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\K:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\P:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\B:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\I:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\L:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\M:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\O:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\R:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\S:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\X:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File opened (read-only)	\??\E:	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe

Drops file in System32 directory 10 IoCs

Processes:

34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe

description	ioc	process
File created	C:\Windows\SysWOW64\FxsTmp\japanese animal fucking hidden glans high heels .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\fucking hidden titts shoes .rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\SysWOW64\FxsTmp\spanish fucking [milf] titts hotel .rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\SysWOW64\IME\shared\trambling voyeur hole hotel .mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\sperm hot (!) hole (Sandy,Sarah).mpeg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\indian handjob lesbian big titts .mpeg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\japanese animal horse full movie feet castration (Karin).mpeg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\SysWOW64\IME\shared\lesbian public hole .mpeg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian horse xxx full movie stockings .avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\System32\DriverStore\Temp\hardcore [free] boots (Anniston,Karin).mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe

Drops file in Program Files directory 15 IoCs

Processes:

34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe

description	ioc	process
File created	C:\Program Files\Windows Journal\Templates\danish animal gay hidden .avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Program Files (x86)\Google\Temp\danish porn xxx big ash .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\sperm hidden titts .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Program Files\Common Files\Microsoft Shared\bukkake hidden feet .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\italian fetish sperm full movie .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian porn horse [free] .mpeg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\italian gang bang trambling hidden glans .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\danish fetish bukkake lesbian hole .mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Program Files\DVD Maker\Shared\blowjob [milf] lady .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\hardcore hot (!) black hairunshaved .mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Program Files (x86)\Google\Update\Download\bukkake uncut YEâPSè& .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\black kicking sperm big glans mistress (Melissa).avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\indian kicking lingerie hidden .avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\xxx hidden .rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\indian gang bang beast voyeur femdom .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe

Drops file in Windows directory 64 IoCs

Processes:

34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\cumshot trambling sleeping (Melissa).avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\spanish gay licking cock YEâPSè& .rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\brasilian kicking hardcore full movie cock girly .mpeg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\italian gang bang lingerie hot (!) (Karin).avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\fetish horse hot (!) glans .mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\italian animal trambling public titts .avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\gay big hole circumcision .mpeg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\brasilian beastiality bukkake [bangbus] .rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\trambling catfight mistress .rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\spanish lingerie [bangbus] .mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\Temp\swedish gang bang horse lesbian glans hairy .rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\swedish kicking lesbian licking latex .mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\british sperm several models cock .avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\beastiality horse catfight fishy .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\Downloaded Program Files\tyrkish kicking sperm catfight leather .mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\swedish handjob lesbian masturbation cock leather .mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\german fucking public glans high heels .rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\sperm [bangbus] upskirt (Anniston,Samantha).zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\norwegian horse full movie .avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\bukkake catfight glans .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\fetish xxx [free] .avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\norwegian lingerie hot (!) glans ejaculation .mpeg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\cum xxx masturbation titts balls (Liz).mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\gang bang beast big cock .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\danish cumshot sperm several models cock upskirt (Janette).rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\spanish hardcore [bangbus] .rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\canadian hardcore public 50+ (Kathrin,Jade).mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\handjob bukkake hidden hole granny (Samantha).zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\british hardcore catfight feet pregnant (Tatjana).avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\asian lesbian masturbation swallow .rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\canadian trambling catfight (Melissa).avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\japanese porn gay hot (!) leather .avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\tyrkish kicking blowjob masturbation .mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\assembly\tmp\beast big gorgeoushorny .rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\xxx [bangbus] feet .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\american horse bukkake masturbation traffic (Ashley,Karin).mpeg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\hardcore lesbian glans traffic .mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\InstallTemp\sperm lesbian .mpeg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\cumshot trambling hidden feet boots (Melissa).rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\horse [milf] hole hairy (Liz).rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\lingerie masturbation cock .avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\mssrv.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\security\templates\indian kicking blowjob [milf] blondie .mpeg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\tyrkish cumshot horse uncut hole upskirt .avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\gay catfight stockings .avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\danish cumshot xxx public boots .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\asian gay hot (!) hole high heels (Tatjana).mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\cum sperm girls shoes .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\fucking girls feet circumcision .avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\lesbian [bangbus] ash .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\action sperm big .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\danish kicking horse girls high heels .mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\american horse blowjob public young .rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\kicking lesbian hot (!) hole black hairunshaved .rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\xxx hidden castration .mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\fucking hidden girly .avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\norwegian xxx catfight glans (Christine,Melissa).rar.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\bukkake [free] glans (Anniston,Sylvia).mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\japanese cumshot horse voyeur hole black hairunshaved .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\assembly\temp\horse several models balls .zip.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\french beast several models sweet (Anniston,Sarah).mpg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\tyrkish fetish lesbian public .mpeg.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\cum lesbian public .avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\italian cum gay [free] hole (Anniston,Samantha).avi.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe

pid	process
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
2404	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe

description	pid	process	target process
PID 2136 wrote to memory of 2396	2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
PID 2136 wrote to memory of 2396	2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
PID 2136 wrote to memory of 2396	2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
PID 2136 wrote to memory of 2396	2136	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
PID 2396 wrote to memory of 2404	2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
PID 2396 wrote to memory of 2404	2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
PID 2396 wrote to memory of 2404	2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
PID 2396 wrote to memory of 2404	2396	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe	34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe

C:\Users\Admin\AppData\Local\Temp\34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
"C:\Users\Admin\AppData\Local\Temp\34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2136

C:\Users\Admin\AppData\Local\Temp\34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
"C:\Users\Admin\AppData\Local\Temp\34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Temp\34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe
"C:\Users\Admin\AppData\Local\Temp\34cb7579ccb9b9d8f981b264f22eed9f1bb7e4299e1d74959ba5c21688c655a4.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian porn horse [free] .mpeg.exe

Filesize
1.1MB

MD5
f41c2d938e50fa41b89cba3627e6c31c

SHA1
36bd24edaa06418de7c90134e2ba6e72dbf5b57a

SHA256
28c80cca98de8f8e8544c44e57f4a62de010f2d8a46e1728eec3dd88003aa66e

SHA512
f4a411839097f75073584760578faf72d6bf34fc8a622d8105f3d88adba9595a64eba40c5079c9d18bfcc501339008b65fe52e880448175e4633a6929e546eb5

Download Submit
C:\debug.txt

Filesize
183B

MD5
681033b107d17c6b037d8c0ff647e6c7

SHA1
eccd5e68f60bd86b050cbb188be4c48d7b180c12

SHA256
f1b32ed31a02c3369a91e0596d71fb777d68c042ea6862c6d8503d1e37722282

SHA512
751154fe59cd520774721822a7f88657b5f36a1e42249e85c46044bedbb3a626f4674989333c16f32956463e8f1d6633aad65d94a7c50a6bd91601eab4ab96fc

Download Submit
memory/2136-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2136-63-0x00000000050B0000-0x00000000050DB000-memory.dmp

Filesize
172KB

Download
memory/2396-64-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2396-88-0x0000000001EE0000-0x0000000001F0B000-memory.dmp

Filesize
172KB

Download
memory/2404-89-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads