Analysis
-
max time kernel
154s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16/03/2024, 02:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c9b03754900d81157311d8a7ad764633.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
c9b03754900d81157311d8a7ad764633.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
10 signatures
150 seconds
General
-
Target
c9b03754900d81157311d8a7ad764633.exe
-
Size
853KB
-
MD5
c9b03754900d81157311d8a7ad764633
-
SHA1
cb47b8f4721cb2a24946c58adcb5f743f58ce895
-
SHA256
24b7c4982f9fbcc4488f9eff838e1a98817f1c5491f5aeefbd634fb4639e8dec
-
SHA512
59ba366824da440ed06e3639d6f5033272e5bd2bf3730000cacf097c2a05ee4b0d2818fafb94f29d9f74fb9f96f3514d4e8c19cdc2ebc428af6b47d913fab6a7
-
SSDEEP
24576:2Wo/CQxopDdpWxCqo1kFaoF4eLywVomJuBwB:zSCQxgDjQo1k0Iyw6cfB
Score
7/10
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation c9b03754900d81157311d8a7ad764633.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation c9b03754900d81157311d8a7ad764633.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" c9b03754900d81157311d8a7ad764633.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\Q: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\Y: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\Z: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\B: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\G: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\L: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\O: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\T: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\W: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\X: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\E: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\K: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\M: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\N: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\R: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\U: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\H: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\J: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\P: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\S: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\V: c9b03754900d81157311d8a7ad764633.exe File opened (read-only) \??\A: c9b03754900d81157311d8a7ad764633.exe -
Drops file in System32 directory 12 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\Temp\gang bang sperm full movie boots .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SysWOW64\IME\SHARED\danish fucking sleeping (Ashley,Anniston).zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\action full movie .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SysWOW64\FxsTmp\danish beastiality lingerie sleeping high heels .zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SysWOW64\config\systemprofile\lingerie [bangbus] vagina .rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SysWOW64\FxsTmp\japanese blowjob hidden beautyfull (Kathrin,Melissa).mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\System32\LogFiles\Fax\Incoming\german cum handjob licking .zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\british porn hardcore full movie .zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SysWOW64\config\systemprofile\cumshot cumshot full movie .rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SysWOW64\IME\SHARED\tyrkish lingerie [milf] titts .mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\kicking lesbian licking .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\tyrkish horse beastiality big balls .zip.exe c9b03754900d81157311d8a7ad764633.exe -
Drops file in Program Files directory 19 IoCs
description ioc Process File created C:\Program Files (x86)\Google\Update\Download\canadian hardcore full movie mature (Curtney).rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files\dotnet\shared\african cum hidden fishy .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\nude masturbation vagina wifey (Kathrin,Sonja).rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files\Microsoft Office\Updates\Download\sperm several models nipples .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\spanish blowjob uncut .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\action [bangbus] ash girly .mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\fucking uncut cock gorgeoushorny .mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\gay animal licking glans femdom (Sonja,Janette).zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\chinese blowjob big beautyfull .zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files\Common Files\microsoft shared\japanese blowjob nude masturbation hole .zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files\Microsoft Office\root\Templates\horse sleeping .avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\norwegian lesbian masturbation .zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\beast horse licking black hairunshaved (Liz,Karin).zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\fucking blowjob sleeping bondage .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{A22979E4-D188-4AF0-A888-04FE21284B11}\EDGEMITMP_19EA3.tmp\russian cum nude uncut sweet .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files (x86)\Microsoft\Temp\indian horse catfight vagina 50+ .avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\american blowjob action catfight shoes (Jenna).mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files (x86)\Google\Temp\hardcore hidden cock .mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\british sperm animal big .rar.exe c9b03754900d81157311d8a7ad764633.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\assembly\tmp\nude girls beautyfull .mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\Downloaded Program Files\black handjob full movie .mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\danish action big glans hotel (Gina,Melissa).zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\horse sleeping redhair (Curtney,Anniston).mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\italian nude public black hairunshaved .zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\sperm hidden ejaculation .zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\fucking trambling lesbian (Curtney).mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\russian handjob [free] mistress .rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\cumshot porn lesbian .avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\asian fetish [free] ash .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\malaysia cum hidden boobs .mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\action lesbian pregnant .zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\xxx fetish lesbian feet (Jenna,Anniston).avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\cumshot catfight glans castration .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\french gay action catfight shoes .zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\american cumshot cumshot [bangbus] (Sonja,Melissa).mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\american gay horse licking titts gorgeoushorny .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\british lingerie trambling big (Sonja).zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\asian action cumshot big penetration .mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\african sperm beastiality public (Anniston).rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\spanish horse cum public boots .mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\chinese cum hot (!) sweet .rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\canadian horse hidden legs .mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\handjob catfight upskirt .rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\danish bukkake big redhair .avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\sperm full movie nipples swallow .avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\french trambling xxx hot (!) .avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\gang bang lesbian shoes .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\beast hot (!) vagina blondie .rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\african cumshot several models shower .rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\bukkake public titts .avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\german animal sleeping .avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\mssrv.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\indian trambling catfight .rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\nude voyeur nipples .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\norwegian gang bang xxx sleeping vagina balls (Melissa).zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\norwegian sperm beast public .mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SoftwareDistribution\Download\asian xxx voyeur boobs (Samantha).rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\animal several models vagina black hairunshaved (Britney,Anniston).mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\handjob licking .avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\chinese fucking hardcore girls (Britney,Samantha).mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\swedish trambling sleeping vagina black hairunshaved (Gina,Liz).mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\malaysia trambling sleeping wifey (Liz,Ashley).rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\lesbian uncut granny .mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\cumshot hidden pregnant .rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\swedish trambling hot (!) 50+ .avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\sperm beastiality licking ash leather .zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\african fucking masturbation .rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\indian bukkake hot (!) .rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\malaysia kicking catfight .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\german horse [milf] .zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\swedish trambling big titts hairy (Christine).avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\black gay hidden (Britney).rar.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\british beast handjob catfight shoes .avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\asian hardcore cumshot [free] castration (Curtney).mpg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\chinese cum [milf] feet .avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\nude lesbian hole (Liz).avi.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\american cumshot [free] granny .zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\fetish [bangbus] femdom .zip.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\british gang bang [milf] mistress (Sandy).mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\beastiality animal masturbation bedroom .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\chinese blowjob hot (!) leather (Karin,Sylvia).mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\italian cumshot several models vagina .mpeg.exe c9b03754900d81157311d8a7ad764633.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\asian handjob licking .mpeg.exe c9b03754900d81157311d8a7ad764633.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3312 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 4580 c9b03754900d81157311d8a7ad764633.exe 4580 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 4580 c9b03754900d81157311d8a7ad764633.exe 4580 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 4580 c9b03754900d81157311d8a7ad764633.exe 4580 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 4580 c9b03754900d81157311d8a7ad764633.exe 4580 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 4580 c9b03754900d81157311d8a7ad764633.exe 4580 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 4580 c9b03754900d81157311d8a7ad764633.exe 4580 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 3312 c9b03754900d81157311d8a7ad764633.exe 4580 c9b03754900d81157311d8a7ad764633.exe 4580 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 4128 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe 2664 c9b03754900d81157311d8a7ad764633.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3312 wrote to memory of 4128 3312 c9b03754900d81157311d8a7ad764633.exe 99 PID 3312 wrote to memory of 4128 3312 c9b03754900d81157311d8a7ad764633.exe 99 PID 3312 wrote to memory of 4128 3312 c9b03754900d81157311d8a7ad764633.exe 99 PID 3312 wrote to memory of 2664 3312 c9b03754900d81157311d8a7ad764633.exe 100 PID 3312 wrote to memory of 2664 3312 c9b03754900d81157311d8a7ad764633.exe 100 PID 3312 wrote to memory of 2664 3312 c9b03754900d81157311d8a7ad764633.exe 100 PID 4128 wrote to memory of 4580 4128 c9b03754900d81157311d8a7ad764633.exe 101 PID 4128 wrote to memory of 4580 4128 c9b03754900d81157311d8a7ad764633.exe 101 PID 4128 wrote to memory of 4580 4128 c9b03754900d81157311d8a7ad764633.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9b03754900d81157311d8a7ad764633.exe"C:\Users\Admin\AppData\Local\Temp\c9b03754900d81157311d8a7ad764633.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Users\Admin\AppData\Local\Temp\c9b03754900d81157311d8a7ad764633.exe"C:\Users\Admin\AppData\Local\Temp\c9b03754900d81157311d8a7ad764633.exe"2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Users\Admin\AppData\Local\Temp\c9b03754900d81157311d8a7ad764633.exe"C:\Users\Admin\AppData\Local\Temp\c9b03754900d81157311d8a7ad764633.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4580
-
-
-
C:\Users\Admin\AppData\Local\Temp\c9b03754900d81157311d8a7ad764633.exe"C:\Users\Admin\AppData\Local\Temp\c9b03754900d81157311d8a7ad764633.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:81⤵PID:4608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\norwegian lesbian masturbation .zip.exe
Filesize1.8MB
MD5cfc20c721570fdffb7766611fd6328e0
SHA1e923c11618d1fb59c97ddb80a9f6ec339c0326eb
SHA2564510ebca58c9e43b9d08f9c532afb2445ba9e3327784c662b29f2b1c88e51da0
SHA51211d4950a916bc87181fa883b1f57cfd25d32d27fe22f41628ec6e541ae33dfc25871726aaa5ca73119882386b39f35aad8b86b2edcd12e2278b135be08be6aab