Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
01-01-2024 20:16
Behavioral task
behavioral1
Sample
0b9402e3f5e3c992579e0cd5d51f04a1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0b9402e3f5e3c992579e0cd5d51f04a1.exe
Resource
win10v2004-20231215-en
General
-
Target
0b9402e3f5e3c992579e0cd5d51f04a1.exe
-
Size
1.3MB
-
MD5
0b9402e3f5e3c992579e0cd5d51f04a1
-
SHA1
2a19f3b8fc8f8637825c27b466e8460beca75174
-
SHA256
404d701358a9d28eb1d04cc3995c8be442504515e425802394c22f1444ea14c4
-
SHA512
824973c8bed4b9346aad8274dbd67c17ea7a7b7ad5610c1651c2c7a57c79d32f1ce55515383f6ecf9c427ae56983649ba8eca59a2bd5b36583ae02d61c0eedfb
-
SSDEEP
24576:JB6IGMRJ7ffH5UEp0VG/WrpndWOZx4fxf9ub6cKwhOPk7gqSxBzEQ:P6Ixj+G/WdF4fxf9sw0OccbF
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1416-0-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/files/0x0007000000015ce7-5.dat upx behavioral1/memory/1416-80-0x00000000049D0000-0x00000000049EE000-memory.dmp upx behavioral1/memory/2588-81-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1708-91-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1416-95-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1708-105-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1416-106-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1416-109-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1416-112-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1416-115-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1416-120-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1416-123-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1416-126-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1416-129-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1416-132-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1416-135-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1416-138-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1416-141-0x0000000000400000-0x000000000041E000-memory.dmp upx behavioral1/memory/1416-144-0x0000000000400000-0x000000000041E000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" 0b9402e3f5e3c992579e0cd5d51f04a1.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\Q: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\W: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\A: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\G: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\L: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\M: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\O: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\P: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\S: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\U: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\B: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\H: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\K: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\Y: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\V: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\X: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\Z: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\E: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\J: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\R: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\I: 0b9402e3f5e3c992579e0cd5d51f04a1.exe File opened (read-only) \??\T: 0b9402e3f5e3c992579e0cd5d51f04a1.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\beast masturbation latex .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian cum hardcore licking hole pregnant .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\SysWOW64\FxsTmp\black horse blowjob uncut glans hotel (Jade).avi.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\SysWOW64\IME\shared\indian action lesbian [bangbus] glans .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\System32\DriverStore\Temp\black nude hardcore [bangbus] black hairunshaved .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\SysWOW64\FxsTmp\black nude lesbian uncut (Sarah).mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\SysWOW64\IME\shared\lingerie lesbian ash .zip.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\System32\LogFiles\Fax\Incoming\xxx catfight .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\SysWOW64\config\systemprofile\indian action beast several models titts circumcision (Melissa).rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\black action gay several models .avi.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Temp\japanese cum blowjob [milf] glans .rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\danish fetish hardcore girls (Sarah).mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Program Files (x86)\Microsoft Office\Templates\swedish fetish bukkake hot (!) leather .zip.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\lingerie sleeping glans penetration .zip.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Program Files\Common Files\Microsoft Shared\horse catfight cock stockings (Janette).zip.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Program Files\DVD Maker\Shared\bukkake catfight cock balls .avi.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\beast public blondie .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Program Files (x86)\Google\Update\Download\tyrkish handjob hardcore voyeur fishy .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Program Files\Windows Journal\Templates\indian gang bang beast [milf] YEâPSè& .zip.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\tyrkish cum xxx licking feet sweet .avi.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\japanese handjob beast licking .avi.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\american action lingerie masturbation feet .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Program Files (x86)\Common Files\microsoft shared\tyrkish action horse hot (!) balls .rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\trambling public feet .zip.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\danish animal trambling lesbian titts .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\italian cum blowjob licking titts .zip.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\fucking [milf] titts ash (Sylvia).mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\japanese handjob trambling masturbation black hairunshaved .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\horse several models upskirt .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\gay full movie .avi.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\trambling voyeur granny .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\Temp\indian nude sperm hidden cock (Gina,Samantha).mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\black animal lingerie hidden (Liz).rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\tyrkish kicking hardcore girls .rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\american animal xxx hot (!) glans pregnant .avi.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\norwegian blowjob public upskirt .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\lingerie masturbation traffic (Christine,Tatjana).mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\russian cumshot hardcore masturbation black hairunshaved .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\black animal bukkake voyeur feet 40+ .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\cum sperm voyeur hole lady .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\SoftwareDistribution\Download\brasilian cum blowjob [free] .avi.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\black porn hardcore sleeping cock .zip.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\InstallTemp\asian hardcore sleeping glans .avi.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\mssrv.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\security\templates\fucking full movie .rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\horse lesbian several models glans .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\lingerie [bangbus] feet gorgeoushorny (Curtney).mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\porn lesbian [milf] mistress .rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\tyrkish cum horse licking hole 40+ .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\assembly\temp\brasilian porn lingerie several models gorgeoushorny .rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\blowjob big (Karin).zip.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\canadian fucking uncut feet .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\swedish kicking fucking sleeping stockings .avi.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\tyrkish fetish horse full movie feet young .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\tyrkish animal beast sleeping .rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\lingerie uncut (Samantha).rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\kicking bukkake sleeping sweet .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\beast catfight black hairunshaved .rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\xxx big 50+ .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\american beastiality hardcore hot (!) hole .avi.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\sperm [milf] penetration .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\handjob xxx uncut (Sylvia).mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\xxx hidden hole granny (Curtney).mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\swedish action hardcore voyeur feet beautyfull .avi.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\sperm sleeping .zip.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\malaysia horse lesbian hole .rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\swedish gang bang beast public titts sm .rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\action trambling uncut cock ejaculation .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\hardcore [free] glans .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\ServiceProfiles\NetworkService\Downloads\italian horse sperm [bangbus] titts bedroom (Tatjana).mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\italian beastiality hardcore full movie (Tatjana).zip.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\xxx public leather .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\animal fucking girls castration .avi.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\gang bang blowjob public feet .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\japanese nude lesbian uncut girly .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\PLA\Templates\russian porn horse sleeping granny (Anniston,Janette).mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\action xxx sleeping boots .rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\asian trambling girls girly .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\chinese bukkake lesbian young .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\italian gang bang xxx [bangbus] redhair .mpg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\beast lesbian feet latex .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\black action fucking [free] feet high heels .rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\swedish nude fucking sleeping feet .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\porn sperm [free] circumcision .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\american cum blowjob hidden feet bondage .zip.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\asian lingerie voyeur hole latex .rar.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\handjob trambling several models hotel .mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\russian handjob hardcore several models (Karin).mpeg.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\gay full movie femdom .avi.exe 0b9402e3f5e3c992579e0cd5d51f04a1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 1708 0b9402e3f5e3c992579e0cd5d51f04a1.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1416 wrote to memory of 2588 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 28 PID 1416 wrote to memory of 2588 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 28 PID 1416 wrote to memory of 2588 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 28 PID 1416 wrote to memory of 2588 1416 0b9402e3f5e3c992579e0cd5d51f04a1.exe 28 PID 2588 wrote to memory of 1708 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 29 PID 2588 wrote to memory of 1708 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 29 PID 2588 wrote to memory of 1708 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 29 PID 2588 wrote to memory of 1708 2588 0b9402e3f5e3c992579e0cd5d51f04a1.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b9402e3f5e3c992579e0cd5d51f04a1.exe"C:\Users\Admin\AppData\Local\Temp\0b9402e3f5e3c992579e0cd5d51f04a1.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\0b9402e3f5e3c992579e0cd5d51f04a1.exe"C:\Users\Admin\AppData\Local\Temp\0b9402e3f5e3c992579e0cd5d51f04a1.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\0b9402e3f5e3c992579e0cd5d51f04a1.exe"C:\Users\Admin\AppData\Local\Temp\0b9402e3f5e3c992579e0cd5d51f04a1.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1708
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5bcfc02804ca0feaf643ae2d9332100e1
SHA18c08b4127c410562be2b60623cd0cad01011a085
SHA25646ab6512c262e25334e646e1fd0fd86889e17fede98bd1fed7a324be0e6d7826
SHA5127b04cd25481a6d364e35ff5dfc458b29dea70eeab2a3094ededec2348a65ccff299cb23205eebce99e60b5ee78d84a08f7b84cee04f7b82048fec03b59894fd2
-
Filesize
183B
MD5b832132e65d91daac950428436bae0c8
SHA1d4abb0c100d34a111e7257d3504cfe93f4500bd4
SHA2562219471ba7345561925d0ec8d3d5a796ac2720c0490a8f666161f7d06905cbee
SHA5120b3e112384c4f27fe9212174e0484e915b4d1c8e25a59fdba2aadc1840222a33ed735fc5bddcf1ebe873ceeaa59e77e6589a6bb956da8e28a9228bcda27de4aa