Analysis
-
max time kernel
162s -
max time network
173s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 23:24
Behavioral task
behavioral1
Sample
9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
Resource
win10v2004-20240319-en
General
-
Target
9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
-
Size
266KB
-
MD5
e3e428054fbb0ac813d33336699fc5ec
-
SHA1
9b1642a991117d4c24b16c4b2a927f09f7b5aef9
-
SHA256
9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c
-
SHA512
e8f6539de521f6def10bdde707ee80505863795fc4c59e99f2058bb5a550c4692fcbc2df276508c4c76d0bea0f056e74178e8f56930a290a04f436e8ab655322
-
SSDEEP
6144:sPDLCL9Io5R4nM/40y37Ysxio/w3leWj8ZFfUMzHL1XH+gb:sPKLXq/7vioc0WnMzr1Xegb
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 1 IoCs
Processes:
resource yara_rule C:\Program Files\Windows Sidebar\Shared Gadgets\trambling sleeping girly .mpg.exe UPX -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/3000-0-0x0000000000400000-0x000000000041C000-memory.dmp upx C:\Program Files\Windows Sidebar\Shared Gadgets\trambling sleeping girly .mpg.exe upx behavioral1/memory/2608-12-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2836-60-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/3000-69-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2608-96-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exedescription ioc process File opened (read-only) \??\B: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\H: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\L: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\M: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\Q: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\V: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\X: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\Y: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\Z: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\G: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\J: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\N: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\O: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\R: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\S: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\I: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\P: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\W: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\A: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\E: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\K: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\T: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File opened (read-only) \??\U: 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe -
Drops file in System32 directory 10 IoCs
Processes:
9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\tyrkish handjob blowjob several models feet .mpeg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\SysWOW64\FxsTmp\asian blowjob [bangbus] 40+ .avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\SysWOW64\config\systemprofile\black gang bang lesbian big femdom .mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\american horse sperm hot (!) .avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\SysWOW64\FxsTmp\brasilian cum lesbian licking glans traffic (Melissa).mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian animal beast lesbian .avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\System32\DriverStore\Temp\hardcore [free] .rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\SysWOW64\IME\shared\danish action lesbian several models hole balls (Sarah).rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\System32\LogFiles\Fax\Incoming\sperm masturbation pregnant .mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\SysWOW64\IME\shared\black porn hardcore [bangbus] beautyfull .rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe -
Drops file in Program Files directory 15 IoCs
Processes:
9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exedescription ioc process File created C:\Program Files\Common Files\Microsoft Shared\indian horse gay hot (!) (Samantha).zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Program Files (x86)\Google\Update\Download\black porn gay girls balls .rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\american porn gay full movie .avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Program Files\DVD Maker\Shared\russian nude lingerie catfight hole mistress .zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Program Files (x86)\Common Files\microsoft shared\hardcore lesbian hole beautyfull (Jade).zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\russian handjob gay catfight sm .avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\beast hidden young .mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\norwegian fucking [free] (Curtney).zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\hardcore [milf] .zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Program Files\Windows Journal\Templates\tyrkish gang bang blowjob girls (Samantha).mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Program Files (x86)\Google\Temp\tyrkish gang bang xxx sleeping (Melissa).rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Program Files (x86)\Microsoft Office\Templates\xxx licking cock hotel .zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\hardcore masturbation YEâPSè& (Ashley,Jade).avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\trambling sleeping girly .mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\fucking public lady .avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe -
Drops file in Windows directory 64 IoCs
Processes:
9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exedescription ioc process File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian animal trambling [free] sm .zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\blowjob big ejaculation .avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\japanese gang bang lesbian masturbation glans .mpeg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\canadian blowjob lesbian .avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\canadian hardcore full movie leather (Gina,Melissa).zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\black beastiality horse [milf] shoes .avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fucking hidden titts ejaculation (Curtney).zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\fetish trambling sleeping hole bedroom (Sylvia).avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\fucking [bangbus] feet .rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\xxx full movie latex .mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\indian gang bang sperm licking cock ìï .avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\danish nude xxx [free] .mpeg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\hardcore licking .zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\canadian lesbian catfight .mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\fucking voyeur titts stockings (Samantha).avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\blowjob voyeur hole castration (Curtney).rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\animal horse sleeping upskirt .zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\tyrkish gang bang lingerie uncut YEâPSè& .mpeg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\assembly\tmp\brasilian porn gay full movie glans .zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\canadian horse lesbian feet (Britney,Sylvia).rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\american gang bang lingerie uncut cock leather .avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\nude fucking catfight .avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\gang bang sperm [milf] feet latex .mpeg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\horse blowjob sleeping hairy (Anniston,Sylvia).zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\animal bukkake licking feet (Sandy,Tatjana).mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\spanish sperm [free] .zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\action lingerie [bangbus] (Tatjana).rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\african horse [bangbus] .rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\brasilian animal sperm sleeping .zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\cum gay big fishy .avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\danish beastiality blowjob voyeur high heels .rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\danish beastiality lesbian public sm (Kathrin,Curtney).avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\german trambling lesbian .mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\swedish kicking beast lesbian young .mpeg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\gang bang fucking voyeur feet hotel .mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\chinese trambling full movie (Jade).avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\PLA\Templates\bukkake catfight traffic .mpeg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\lingerie public mature .rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\bukkake [free] glans swallow .rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\black animal blowjob masturbation glans .mpeg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\tyrkish cumshot lesbian hidden feet bedroom .zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\kicking gay several models feet bedroom .mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\french blowjob full movie balls .mpeg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\african bukkake sleeping cock .mpeg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\chinese horse sleeping (Tatjana).mpeg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\blowjob girls .zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\japanese porn trambling several models (Melissa).zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\ServiceProfiles\LocalService\Downloads\xxx [free] .rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\swedish nude bukkake public .zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\animal lesbian [bangbus] young .avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\danish kicking blowjob masturbation cock upskirt .mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\beastiality beast lesbian glans penetration .mpeg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\nude beast public glans circumcision (Tatjana).mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\tyrkish horse gay hot (!) young .rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\action horse hidden fishy .mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\indian cumshot beast licking (Sarah).zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\spanish bukkake hidden .mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\action beast [milf] 40+ .mpeg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\african trambling [bangbus] .zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\beastiality lesbian full movie (Liz).avi.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\american kicking horse licking cock .mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\SoftwareDistribution\Download\black horse fucking [bangbus] feet .mpg.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\german xxx girls (Jade).zip.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\spanish beast sleeping castration .rar.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exepid process 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 2836 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exedescription pid process target process PID 3000 wrote to memory of 2608 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe PID 3000 wrote to memory of 2608 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe PID 3000 wrote to memory of 2608 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe PID 3000 wrote to memory of 2608 3000 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe PID 2608 wrote to memory of 2836 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe PID 2608 wrote to memory of 2836 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe PID 2608 wrote to memory of 2836 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe PID 2608 wrote to memory of 2836 2608 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2836
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5ccfe1717230efe8e01f11ee39b17fb66
SHA1795d285dccd08a8cd4c2e727eb78c2f92fbb3f98
SHA256c0970ddc2f004924e2d8a2d16cfc076360630c9ec6583abb0911f2b5d76ae5ec
SHA512b9b93753ce2b23885b46453a19f422280db930540a996a4c6cea6fd98f0fe1611b344cbd322db0af73b3005725440d72c0e0b6d47f7dd1f762392939e0796b55
-
Filesize
183B
MD50d5358c24127a105580397dbc3b3b96e
SHA1c26ca5615bb4c0e2ff5e31bee83a9641e0c505b5
SHA2563dc6bc7eea117f50b889bb71832f2fdb58be6ce2d522e860ba10be209c3b14d9
SHA51274318be32e4298edacb6e82b53c967ea66a03c7213a08a7189147dac7ae99ddb98876d0f3f4746065520b9fb8624d8601d83af9ec229bc99a9568e918e09982c