19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 23:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
Size

1.1MB
MD5

f3b8e5108ed78f877db961bbb304e020
SHA1

47bc9311be4cf686e1ba27ea51f443eaf21e2708
SHA256

19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377
SHA512

02e81508f5c98f4cd271aeeaa0fd758c4b22499c1a8ded2815fca85792d4d65a3e1d4ccfe7f0eef265491121f6b4a7898b42a90476553545ee0480b17fe49b2e
SSDEEP

24576:oWGc+rmTY9tR2dpGLWMXtDt01O+BN+3EO3+5HbWdog5+:VxTY9t4d6F9KE53HIKos+

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\X:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\Y:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\A:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\I:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\Q:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\R:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\L:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\M:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\S:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\P:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\T:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\V:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\W:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\B:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\E:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\G:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\N:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\Z:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\H:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\J:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\K:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File opened (read-only)	\??\O:	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\japanese animal lesbian [bangbus] .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\danish animal horse several models ash .mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\SysWOW64\FxsTmp\brasilian gang bang lingerie [bangbus] feet beautyfull .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\SysWOW64\IME\shared\sperm [milf] latex .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\SysWOW64\config\systemprofile\japanese horse horse several models circumcision .mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\SysWOW64\FxsTmp\german horse girls ìï .mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\SysWOW64\IME\shared\indian nude horse full movie stockings .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\SysWOW64\config\systemprofile\trambling [free] hole (Gina,Curtney).avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\beast voyeur girly .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\trambling hot (!) .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\black porn gay uncut ash .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\sperm lesbian feet beautyfull .mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Program Files\DVD Maker\Shared\lingerie uncut .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\tyrkish cum hardcore big hole 50+ .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\brasilian animal lesbian [bangbus] titts .zip.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\black gang bang fucking licking ash .mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Program Files (x86)\Google\Temp\american kicking beast catfight penetration .mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Program Files (x86)\Google\Update\Download\japanese porn hardcore masturbation fishy .mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\lingerie catfight feet leather .mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Program Files\Common Files\Microsoft Shared\lesbian girls 40+ (Jenna,Liz).avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\indian animal trambling masturbation cock fishy (Sylvia).mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\brasilian cumshot xxx big cock latex .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\sperm licking (Melissa).mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Program Files\Windows Journal\Templates\blowjob big bedroom .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\japanese cum lesbian girls ìï .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\tmp\russian animal horse full movie .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\fucking hot (!) titts (Sonja,Tatjana).avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\indian beastiality fucking voyeur (Karin).mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\african lesbian uncut traffic .mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\german beast [milf] hole .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\horse hidden 40+ .mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\malaysia bukkake several models cock .zip.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\gay [free] sweet (Jenna,Liz).zip.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\trambling girls beautyfull .zip.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\tyrkish cum gay licking (Melissa).avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\russian kicking beast [milf] feet bondage .mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\animal beast catfight penetration .zip.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\cumshot beast hot (!) titts (Britney,Jade).avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\russian gang bang beast masturbation titts swallow .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\danish porn hardcore [milf] .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\SoftwareDistribution\Download\horse full movie cock hairy (Liz).mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\spanish hardcore [free] .mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\chinese xxx full movie cock ìï .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\sperm several models hole .mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\beastiality sperm girls .mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\tyrkish handjob horse girls .zip.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\japanese horse xxx lesbian .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\malaysia trambling lesbian stockings .mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\action bukkake [milf] mature .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\danish porn hardcore [bangbus] feet balls .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\security\templates\fucking full movie .mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\malaysia fucking [milf] (Jade).mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\sperm lesbian feet boots (Curtney).mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\russian horse lingerie catfight hole .zip.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\beast uncut titts .mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\malaysia beast hidden castration .mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\norwegian gay [bangbus] (Liz).zip.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\british gay sleeping lady .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\japanese cum fucking catfight hole bondage (Curtney).avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\french hardcore [milf] titts .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\sperm several models 50+ .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\bukkake licking hole .mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\british horse masturbation shoes .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\danish beastiality beast masturbation titts .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\InstallTemp\tyrkish animal xxx hidden swallow .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\hardcore lesbian traffic .mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\mssrv.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\chinese sperm lesbian lady (Sonja,Curtney).mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\danish action beast public beautyfull .mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\danish action hardcore [milf] titts (Sonja,Melissa).avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\action hardcore catfight castration .zip.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\asian bukkake public .mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\animal beast [bangbus] stockings .zip.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\russian fetish trambling [free] feet .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\swedish nude xxx catfight 50+ (Sonja,Samantha).rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\swedish beastiality lesbian several models .mpeg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\german fucking voyeur hole .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\asian bukkake [bangbus] glans bondage .zip.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\japanese gang bang bukkake lesbian .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\american porn fucking sleeping bedroom .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\american handjob hardcore full movie penetration .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\xxx masturbation boots .mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\handjob gay lesbian leather .rar.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\american kicking bukkake public (Karin).mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\beast [milf] .zip.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\canadian trambling uncut (Melissa).zip.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\russian action sperm lesbian ejaculation .avi.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\norwegian blowjob several models cock beautyfull (Samantha).mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\nude horse several models bedroom .mpg.exe	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2164	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
2524	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3044	2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe	30
PID 2112 wrote to memory of 3044	2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe	30
PID 2112 wrote to memory of 3044	2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe	30
PID 2112 wrote to memory of 3044	2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe	30
PID 3044 wrote to memory of 2164	3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe	31
PID 3044 wrote to memory of 2164	3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe	31
PID 3044 wrote to memory of 2164	3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe	31
PID 3044 wrote to memory of 2164	3044	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe	31
PID 2112 wrote to memory of 2524	2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe	32
PID 2112 wrote to memory of 2524	2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe	32
PID 2112 wrote to memory of 2524	2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe	32
PID 2112 wrote to memory of 2524	2112	19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe	32

C:\Users\Admin\AppData\Local\Temp\19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
"C:\Users\Admin\AppData\Local\Temp\19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
  "C:\Users\Admin\AppData\Local\Temp\19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
    "C:\Users\Admin\AppData\Local\Temp\19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2164
- C:\Users\Admin\AppData\Local\Temp\19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe
  "C:\Users\Admin\AppData\Local\Temp\19ee83e8c7f21f53b5f8315e8345864bb5b65b10d1b1da5396582efdd68e8377.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\brasilian animal lesbian [bangbus] titts .zip.exe

Filesize
164KB

MD5
a8b6006a10f691edc4fbfdc031aa9208

SHA1
571900346682592f8ee1c82e4c0c63b92546d071

SHA256
037fbf5f86ce50e60d24be0ae0f29d2c9abb887fba7780eac0ecab8cea929cac

SHA512
6c67aa1e25c0b661ab08bb8edc1084d03e4b1a0984a5672bba0614066caa676da5195769a71d4b213bf42f61e774a29711b8a0666e5af4204c3d0127185ecbba

Download Submit