Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 19:20
Behavioral task
behavioral1
Sample
22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
Resource
win10v2004-20240226-en
General
-
Target
22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
-
Size
241KB
-
MD5
66f4bc39e87c07681c40d0288ad92145
-
SHA1
9802081dbed5e172a128b6135afdaf118b1768fc
-
SHA256
22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09
-
SHA512
dc9f4218c0464341982dde6be9a22e592aaced8cb1d98e8a9a71bcf2d7f61b8c707ce2c3bedcc61779a07ff7a2d6fc7221c36aecd10e9da2c0509546c044fdf4
-
SSDEEP
6144:6jluQoSFIo5R4nM/40yJW4aTfLNAP2Rr7vuZI0lWOsWC6wp7W7SU8:6EQoSvqhKfBuj7WOdW7Wer
Malware Config
Signatures
-
Detects executables containing possible sandbox analysis VM usernames 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2488-66-0x0000000000400000-0x0000000000421000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1688-89-0x0000000000400000-0x0000000000421000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/2732-106-0x0000000000400000-0x0000000000421000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/2488-109-0x0000000000400000-0x0000000000421000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/1688-111-0x0000000000400000-0x0000000000421000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames -
UPX dump on OEP (original entry point) 7 IoCs
Processes:
resource yara_rule behavioral1/memory/2732-0-0x0000000000400000-0x0000000000421000-memory.dmp UPX C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\trambling several models (Karin).mpg.exe UPX behavioral1/memory/2488-66-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral1/memory/1688-89-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral1/memory/2732-106-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral1/memory/2488-109-0x0000000000400000-0x0000000000421000-memory.dmp UPX behavioral1/memory/1688-111-0x0000000000400000-0x0000000000421000-memory.dmp UPX -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2732-0-0x0000000000400000-0x0000000000421000-memory.dmp upx C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\trambling several models (Karin).mpg.exe upx behavioral1/memory/2488-66-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1688-89-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2732-106-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2488-109-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/1688-111-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exedescription ioc process File opened (read-only) \??\S: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\Y: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\K: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\P: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\T: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\U: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\V: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\J: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\N: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\G: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\H: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\Q: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\W: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\A: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\E: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\L: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\M: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\O: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\R: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\X: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\Z: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\B: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File opened (read-only) \??\I: 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe -
Drops file in System32 directory 10 IoCs
Processes:
22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exedescription ioc process File created C:\Windows\SysWOW64\FxsTmp\danish horse lesbian [free] hole .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\System32\LogFiles\Fax\Incoming\gay [bangbus] penetration (Kathrin,Janette).avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\xxx big (Karin).mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\SysWOW64\FxsTmp\black nude fucking public castration .rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\SysWOW64\IME\shared\italian cumshot hardcore uncut hole circumcision .zip.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\SysWOW64\config\systemprofile\tyrkish handjob beast lesbian girly (Sandy,Sarah).mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\System32\DriverStore\Temp\blowjob big hairy .mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\SysWOW64\config\systemprofile\brasilian horse sperm full movie cock .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian cumshot lesbian hot (!) (Sarah).mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\SysWOW64\IME\shared\fucking full movie (Tatjana).rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe -
Drops file in Program Files directory 15 IoCs
Processes:
22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exedescription ioc process File created C:\Program Files (x86)\Google\Temp\swedish nude xxx several models feet leather .rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\indian porn trambling [bangbus] ejaculation .rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\fucking hidden .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\tyrkish action xxx public 40+ (Sandy,Samantha).rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Program Files\Windows Journal\Templates\animal fucking sleeping sweet .mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\japanese handjob blowjob sleeping hotel .avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\trambling several models (Karin).mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Program Files (x86)\Google\Update\Download\danish animal bukkake masturbation bedroom .zip.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Program Files (x86)\Common Files\microsoft shared\horse full movie (Sylvia).mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\black porn lingerie several models glans .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Program Files (x86)\Microsoft Office\Templates\indian nude trambling masturbation penetration .avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\black cum xxx uncut .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Program Files\Common Files\Microsoft Shared\blowjob hot (!) cock mistress .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Program Files\DVD Maker\Shared\bukkake [free] glans ìï .mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\american handjob blowjob licking (Curtney).avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe -
Drops file in Windows directory 64 IoCs
Processes:
22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exedescription ioc process File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\nude lesbian hidden black hairunshaved .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\Downloaded Program Files\blowjob big .mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\asian hardcore [milf] (Sarah).mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\japanese nude bukkake girls boots .rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\bukkake public feet redhair (Karin).mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\norwegian lesbian hot (!) titts granny (Sylvia).mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\blowjob masturbation (Jade).avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\cum xxx public (Samantha).rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\gay uncut cock .rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\hardcore [milf] feet sweet .mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\trambling [milf] blondie .rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\spanish horse lesbian penetration .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\chinese fucking [milf] boots .avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\assembly\tmp\danish beastiality lesbian sleeping feet fishy (Jade).mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\tyrkish beastiality sperm licking .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\cumshot blowjob uncut mistress .avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\black horse gay hot (!) cock black hairunshaved (Jade).mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\tyrkish kicking horse [bangbus] sm .avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\blowjob catfight (Sarah).mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\british horse [free] YEâPSè& .zip.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\african trambling girls lady .avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\danish action bukkake big (Karin).mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\swedish horse hardcore sleeping mistress .zip.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\hardcore voyeur ash .zip.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\danish animal blowjob catfight feet sweet .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\russian cumshot fucking hot (!) feet 40+ .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\canadian sperm [free] titts castration .zip.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\tyrkish animal blowjob [milf] titts leather (Tatjana).rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\black animal sperm [bangbus] glans stockings (Tatjana).mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\assembly\temp\horse hidden mature .zip.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\norwegian beast uncut balls (Anniston,Sylvia).zip.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\trambling [milf] .mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\german bukkake uncut blondie .mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\mssrv.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\lesbian hidden circumcision .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\PLA\Templates\lesbian sleeping girly (Britney,Curtney).mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\canadian bukkake several models femdom (Christine,Liz).mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\german sperm several models leather .mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\german trambling hot (!) titts (Britney,Curtney).rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\american fetish xxx sleeping hole castration .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\xxx lesbian cock 40+ .avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\tyrkish fetish gay [milf] titts ejaculation (Liz).zip.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\porn beast public feet 50+ (Liz).avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\fetish trambling licking .zip.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\norwegian sperm full movie high heels (Kathrin,Liz).avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\american fetish horse sleeping beautyfull .rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\fucking catfight balls (Sandy,Sarah).avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\american kicking blowjob [bangbus] sweet (Sonja,Sylvia).avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\german horse full movie hole .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\chinese beast sleeping mistress .rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\action hardcore [bangbus] glans .avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\gay masturbation YEâPSè& .rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\fetish blowjob [free] (Liz).mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\gay big girly .zip.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\tyrkish animal fucking uncut cock .mpeg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\canadian sperm voyeur mistress .rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\Temp\black handjob bukkake sleeping traffic .zip.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\trambling uncut (Janette).mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\bukkake [milf] beautyfull (Anniston,Tatjana).rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\lesbian masturbation titts .zip.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\xxx lesbian .avi.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\indian porn xxx big ash .mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\fetish blowjob masturbation (Melissa).mpg.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\swedish gang bang bukkake [bangbus] penetration (Sonja,Karin).rar.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exepid process 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 1688 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exedescription pid process target process PID 2732 wrote to memory of 2488 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe PID 2732 wrote to memory of 2488 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe PID 2732 wrote to memory of 2488 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe PID 2732 wrote to memory of 2488 2732 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe PID 2488 wrote to memory of 1688 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe PID 2488 wrote to memory of 1688 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe PID 2488 wrote to memory of 1688 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe PID 2488 wrote to memory of 1688 2488 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
582KB
MD5938fd0ac9acd6a43f66ec67715c2819d
SHA13bd2777c4408eb062fa7ac9e4c21265532bdda2f
SHA25648c07e53ef137c257c6799e968e215928d3dee92cfac96ea82721124d982f591
SHA5125d4dec0545cfc3d03a67107e89fac758405a34caa4ff5cba3ee6e752e10f01d3bc5b9bf33a24c949848af4c98adca1be446f0b79ca48395659973d2e373235d7