Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
07-04-2024 20:13
Behavioral task
behavioral1
Sample
3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe
Resource
win10v2004-20240226-en
General
-
Target
3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe
-
Size
1.4MB
-
MD5
174daa247aefc52d66f535735e1f3426
-
SHA1
09f4b3f3fb972a89dc66af59ef84f4e3584c6e00
-
SHA256
3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc
-
SHA512
b9ad7ba6f0eb0a4f4bf2fe693dcf26bf75e4ab78f386d0e51931d57b946e4c916273772c0882b6398359275564c1964d79ef09d4dab2b4f67bbda7d51830136f
-
SSDEEP
24576:bHXsaqaoi0NP91nBvdVhe3lehBaaSwOwgi4EiDeo8y+MfmcxP+:j8anCP9lBbhee7owtiqo8QmKP+
Malware Config
Signatures
-
Detects executables containing possible sandbox analysis VM usernames 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2720-55-0x0000000000400000-0x0000000000429000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/2636-90-0x0000000000400000-0x0000000000429000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames -
UPX dump on OEP (original entry point) 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1728-0-0x0000000000400000-0x0000000000429000-memory.dmp UPX C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\gay girls stockings .mpg.exe UPX behavioral1/memory/2720-55-0x0000000000400000-0x0000000000429000-memory.dmp UPX behavioral1/memory/2636-90-0x0000000000400000-0x0000000000429000-memory.dmp UPX -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1728-0-0x0000000000400000-0x0000000000429000-memory.dmp upx C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\gay girls stockings .mpg.exe upx behavioral1/memory/2720-55-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2636-90-0x0000000000400000-0x0000000000429000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exedescription ioc process File opened (read-only) \??\M: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\V: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\W: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\X: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\Y: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\B: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\G: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\P: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\R: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\U: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\Z: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\E: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\N: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\K: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\L: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\Q: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\T: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\H: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\J: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\O: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\S: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\A: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File opened (read-only) \??\I: 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe -
Drops file in System32 directory 10 IoCs
Processes:
3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exedescription ioc process File created C:\Windows\System32\LogFiles\Fax\Incoming\danish animal lesbian lesbian .mpeg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\SysWOW64\IME\shared\sperm public hole hairy (Liz).rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\horse girls glans leather .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\System32\DriverStore\Temp\sperm girls ash .rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\SysWOW64\FxsTmp\danish beastiality lingerie public (Jade).rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\SysWOW64\config\systemprofile\russian gang bang sperm [bangbus] (Karin).zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian fetish blowjob licking YEâPSè& (Kathrin,Sylvia).avi.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\SysWOW64\FxsTmp\asian fucking sleeping sm .avi.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\SysWOW64\IME\shared\danish horse trambling hidden .rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\SysWOW64\config\systemprofile\tyrkish cum fucking masturbation hole hairy (Janette).avi.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe -
Drops file in Program Files directory 15 IoCs
Processes:
3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exedescription ioc process File created C:\Program Files (x86)\Google\Update\Download\xxx full movie feet .rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\indian animal lingerie [bangbus] .rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\black gang bang fucking lesbian YEâPSè& .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\gay girls stockings .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\brasilian kicking fucking [milf] cock .avi.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\tyrkish fetish hardcore catfight .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\swedish animal beast several models sm (Gina,Jade).mpeg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Program Files (x86)\Common Files\microsoft shared\danish action xxx several models cock mistress .rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Program Files (x86)\Google\Temp\danish cum trambling lesbian girly .mpeg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Program Files\Windows Journal\Templates\russian horse trambling girls traffic (Sandy,Liz).avi.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\swedish handjob bukkake [bangbus] .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Program Files (x86)\Microsoft Office\Templates\japanese fetish lesbian lesbian glans (Sonja,Curtney).mpeg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\hardcore [bangbus] .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Program Files\Common Files\Microsoft Shared\blowjob uncut cock 40+ .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Program Files\DVD Maker\Shared\italian gang bang horse voyeur stockings .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe -
Drops file in Windows directory 64 IoCs
Processes:
3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exedescription ioc process File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\african bukkake [free] mature .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\japanese animal gay hidden granny .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\fucking big redhair .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\japanese handjob xxx several models 50+ .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\horse licking hole hotel .rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\french trambling [milf] hole shoes (Samantha).mpeg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\InstallTemp\beast hidden .rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\italian action hardcore public fishy .mpeg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\tyrkish kicking lesbian voyeur .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\xxx girls boots .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\gay catfight .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\spanish blowjob catfight .rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\lingerie public cock circumcision (Jade).avi.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\indian gang bang lesbian catfight feet shoes (Curtney).zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\cum fucking licking blondie .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\cumshot gay lesbian titts (Sandy,Sarah).avi.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\black kicking lingerie big ìï .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\danish handjob sperm public high heels .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\beast [milf] .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\canadian sperm licking .avi.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\cum trambling hidden hole boots (Melissa).mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\kicking lingerie lesbian hole femdom .rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\tyrkish kicking bukkake [milf] young .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\tyrkish fetish xxx lesbian .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\Temp\japanese fetish fucking licking YEâPSè& (Britney,Curtney).rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\norwegian gay hidden ìï .rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\danish horse bukkake full movie .avi.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\brasilian cumshot hardcore [free] cock sm (Janette).avi.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\fetish fucking uncut .rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\swedish porn lingerie licking glans boots (Liz).mpeg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\malaysia bukkake hot (!) (Samantha).zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\american beastiality horse several models beautyfull (Kathrin,Melissa).rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\norwegian lingerie girls .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\danish porn xxx public gorgeoushorny .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\malaysia lingerie uncut cock .mpeg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\french lingerie [bangbus] beautyfull .rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\asian gay full movie .mpeg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\mssrv.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\brasilian nude fucking several models feet (Sandy,Sarah).mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\american animal sperm sleeping ash .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\italian cumshot lesbian sleeping titts granny .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\fucking licking bedroom .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\french beast uncut titts (Kathrin,Samantha).avi.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\nude lingerie uncut (Karin).mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\assembly\temp\brasilian beastiality gay big girly .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian kicking gay lesbian boots .avi.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\action fucking public hole traffic (Sarah).mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\german bukkake hidden titts granny (Jade).rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\ServiceProfiles\NetworkService\Downloads\american nude lesbian several models .avi.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\black horse trambling girls sweet .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\malaysia gay [milf] hotel .mpeg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\russian cumshot blowjob public (Sarah).mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fucking girls feet .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\assembly\tmp\american cumshot sperm public cock sm .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\american handjob fucking lesbian ejaculation .avi.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\black horse beast hidden (Tatjana).mpeg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\british hardcore sleeping glans latex (Curtney).zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\norwegian fucking catfight hole (Anniston,Karin).rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\fetish blowjob hidden leather .rar.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\tyrkish animal fucking uncut feet .mpeg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\blowjob catfight upskirt .zip.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\swedish kicking trambling full movie upskirt (Jenna,Karin).mpeg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\xxx hot (!) .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe File created C:\Windows\Downloaded Program Files\hardcore public .mpg.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exepid process 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 2636 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exedescription pid process target process PID 1728 wrote to memory of 2720 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe PID 1728 wrote to memory of 2720 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe PID 1728 wrote to memory of 2720 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe PID 1728 wrote to memory of 2720 1728 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe PID 2720 wrote to memory of 2636 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe PID 2720 wrote to memory of 2636 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe PID 2720 wrote to memory of 2636 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe PID 2720 wrote to memory of 2636 2720 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe 3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe"C:\Users\Admin\AppData\Local\Temp\3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe"C:\Users\Admin\AppData\Local\Temp\3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Local\Temp\3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe"C:\Users\Admin\AppData\Local\Temp\3b327da35f60060150653b401ecb0cead43c1845daa0597939f060979bee83cc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD518bdf1806ce04e968c32e6f2a3deb01c
SHA10f6dc97b3cd24107257964c4dfa856b9d86aed5c
SHA256e846f8b8b4031f45dd2479779f80e3b0ed0a0c62ea5cdb5677aafa9b05422c6a
SHA512195f22d1a506e7aca12fd764d63aa6da4c6e36ae94bef2a539165fb4fcdbe58a4071fdbeb35cf4911fccad29541b1027933f363ee31fa34bce202c7bebb49283