Analysis
-
max time kernel
132s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09/04/2024, 21:36
Behavioral task
behavioral1
Sample
19bddff71e02886030f8efd4817047b5.exe
Resource
win7-20231129-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
19bddff71e02886030f8efd4817047b5.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
19bddff71e02886030f8efd4817047b5.exe
-
Size
137KB
-
MD5
19bddff71e02886030f8efd4817047b5
-
SHA1
ef5975a994956ac5e9ef7bd250218c3bff9bcb07
-
SHA256
6008506ee9d7c338b9e91372498d2e29ff5a6a62dff8e73fee1643b4c3142166
-
SHA512
ba110b47c97f5e217fb67a2989290132a72ef787730ae634bab9b7a5bc5a1cccce463ff4d30f716616d307534e43737250119c8b2cd1dea0f9fc94a4f09d9b56
-
SSDEEP
3072:YjbLl/gvQoutP1Tj4mYWR/R4nkPR/1aVuyJ+ULu8mGY/68Zsc1MHW:YjluQoStIo5R4nM/40yJpLA/7ZYHW
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2240-0-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/files/0x0007000000015cb6-5.dat upx behavioral1/memory/2748-54-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2364-89-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2240-106-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2748-108-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/2364-109-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" 19bddff71e02886030f8efd4817047b5.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\N: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\Q: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\S: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\T: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\W: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\B: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\I: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\J: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\P: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\U: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\Y: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\E: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\H: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\K: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\M: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\R: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\Z: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\A: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\L: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\O: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\V: 19bddff71e02886030f8efd4817047b5.exe File opened (read-only) \??\X: 19bddff71e02886030f8efd4817047b5.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\beastiality lesbian uncut (Curtney,Sarah).rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\System32\DriverStore\Temp\british gang bang hidden gorgeoushorny (Samantha,Sylvia).mpeg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\System32\LogFiles\Fax\Incoming\italian sperm [milf] 50+ .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\SysWOW64\config\systemprofile\indian lesbian masturbation beautyfull .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\SysWOW64\FxsTmp\brasilian porn hardcore licking sm .mpeg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\SysWOW64\IME\shared\fetish hidden boots .mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\SysWOW64\config\systemprofile\danish fetish voyeur wifey .mpeg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\SysWOW64\FxsTmp\brasilian cum fetish catfight boots .zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\SysWOW64\IME\shared\british kicking bukkake catfight cock swallow .zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\canadian fetish masturbation ejaculation (Ashley,Christine).avi.exe 19bddff71e02886030f8efd4817047b5.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Temp\japanese hardcore bukkake voyeur hole hairy .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\xxx masturbation boobs pregnant .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Program Files (x86)\Microsoft Office\Templates\action hot (!) hole young .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\german porn uncut granny (Karin).avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\gay horse big gorgeoushorny .zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Program Files\Windows Journal\Templates\fucking licking (Liz).mpeg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Program Files (x86)\Common Files\microsoft shared\fetish kicking sleeping hole .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\handjob sleeping pregnant .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Program Files\Common Files\Microsoft Shared\beast horse full movie hole redhair .zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Program Files (x86)\Google\Update\Download\fucking [bangbus] black hairunshaved .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\african horse lesbian several models .mpeg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Program Files\DVD Maker\Shared\spanish lingerie animal voyeur mistress (Sarah).avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\japanese lesbian blowjob several models bedroom .mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\sperm [milf] mistress .mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\trambling [milf] ejaculation .mpeg.exe 19bddff71e02886030f8efd4817047b5.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\italian horse uncut ejaculation .mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\danish animal lesbian young .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\swedish fucking blowjob licking .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\spanish gay voyeur granny .mpeg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\british beastiality [bangbus] (Christine).zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\danish bukkake voyeur .zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\cum cum masturbation nipples balls .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\xxx big .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\danish kicking sperm lesbian vagina .mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\kicking sperm [free] boobs .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\japanese hardcore hidden titts (Kathrin).rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\kicking [milf] (Jade).zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\indian cum [bangbus] black hairunshaved (Jade).mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\tyrkish animal beast public 50+ .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\horse sleeping .zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\swedish cumshot masturbation (Britney).avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\french gay gay [bangbus] 40+ .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\african beast kicking girls balls (Jade).zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\beast several models fishy .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\canadian horse xxx uncut .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\asian horse beastiality [bangbus] boobs .zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\black fetish full movie cock 50+ (Britney).zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\InstallTemp\russian gang bang gay [free] nipples .mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\nude full movie .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\swedish nude masturbation titts blondie (Jade).mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\gay several models hole balls .mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\british porn hot (!) vagina .mpeg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\fetish licking nipples young .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\african gay beastiality licking (Tatjana,Sonja).rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\ServiceProfiles\NetworkService\Downloads\tyrkish handjob trambling [bangbus] nipples .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\horse porn full movie boobs traffic .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\security\templates\chinese fetish catfight titts (Jade,Christine).rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\fucking beast several models sweet (Sarah,Sonja).mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\mssrv.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\porn uncut boobs stockings .zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\SoftwareDistribution\Download\german cumshot cum voyeur beautyfull .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\animal [milf] hole (Janette,Tatjana).avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\gay public glans black hairunshaved .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\fucking hardcore public (Sylvia,Ashley).mpeg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\malaysia gay [free] ejaculation .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\horse action voyeur gorgeoushorny .mpeg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\Downloaded Program Files\lesbian sperm masturbation boobs swallow (Sonja).mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\PLA\Templates\lesbian sleeping .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\porn trambling lesbian girly (Samantha,Sonja).zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\nude public ash .mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\kicking catfight .mpeg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\assembly\tmp\horse several models titts .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\hardcore gay several models stockings (Samantha).mpeg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\brasilian gang bang hardcore girls shoes .zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\beastiality public cock .zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\black gang bang handjob lesbian shower .zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\Temp\gay action public 50+ (Anniston).mpeg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\canadian beast sleeping .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\kicking fucking full movie (Janette).mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\german fetish sleeping bedroom .rar.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\fetish full movie .mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\beastiality handjob voyeur blondie .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\hardcore hardcore sleeping stockings .mpeg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\swedish lingerie lesbian voyeur leather .zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\black cum animal full movie boobs leather .avi.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\indian nude licking hairy (Gina).mpeg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\beastiality hardcore several models (Anniston,Sarah).zip.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\hardcore beastiality full movie redhair .mpg.exe 19bddff71e02886030f8efd4817047b5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\cumshot licking circumcision .mpeg.exe 19bddff71e02886030f8efd4817047b5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe 2240 19bddff71e02886030f8efd4817047b5.exe 2748 19bddff71e02886030f8efd4817047b5.exe 2364 19bddff71e02886030f8efd4817047b5.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2748 2240 19bddff71e02886030f8efd4817047b5.exe 28 PID 2240 wrote to memory of 2748 2240 19bddff71e02886030f8efd4817047b5.exe 28 PID 2240 wrote to memory of 2748 2240 19bddff71e02886030f8efd4817047b5.exe 28 PID 2240 wrote to memory of 2748 2240 19bddff71e02886030f8efd4817047b5.exe 28 PID 2748 wrote to memory of 2364 2748 19bddff71e02886030f8efd4817047b5.exe 29 PID 2748 wrote to memory of 2364 2748 19bddff71e02886030f8efd4817047b5.exe 29 PID 2748 wrote to memory of 2364 2748 19bddff71e02886030f8efd4817047b5.exe 29 PID 2748 wrote to memory of 2364 2748 19bddff71e02886030f8efd4817047b5.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\19bddff71e02886030f8efd4817047b5.exe"C:\Users\Admin\AppData\Local\Temp\19bddff71e02886030f8efd4817047b5.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\19bddff71e02886030f8efd4817047b5.exe"C:\Users\Admin\AppData\Local\Temp\19bddff71e02886030f8efd4817047b5.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\19bddff71e02886030f8efd4817047b5.exe"C:\Users\Admin\AppData\Local\Temp\19bddff71e02886030f8efd4817047b5.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2364
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
394KB
MD51c5aaf164874e8581324d5f470a8526b
SHA18903b16d7b732c167736ff88876e524a402c420c
SHA256b299ddfef2174aaedab5875bae4b51237df7d0b2785146de7073c023fc0a9178
SHA512ebb2c416e3caefa2e5b618ceb15e546f73d0b78fc27bb17803dc06d9e9a4d056e59c9da1381e64d200ca295ba26cf0b3eb623bbcece021202e783d152da3a672