Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 18:24
Behavioral task
behavioral1
Sample
091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe
Resource
win10v2004-20240226-en
General
-
Target
091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe
-
Size
234KB
-
MD5
36ea4f0e5583c44848ba59ef59350806
-
SHA1
c9f18716291ca8cd2772e91eacd98ce7ca8abe6b
-
SHA256
091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5
-
SHA512
19a084c812985d7e9a2c20aff3d01583bbcd87b219f9dd1ef5e27f84ef770f2da6b886a605901f962ec0b1ef47078e790bc27ca9430d030766ceed2f3e3b1d52
-
SSDEEP
6144:YjluQoSPIo5R4nM/40yJN1O2X0FTGoqqPMzjgZ4P6wlUwehSfs:YEQoSpqhv3XmGDiMPgZ1bhSk
Malware Config
Signatures
-
Detects executables containing possible sandbox analysis VM usernames 4 IoCs
resource yara_rule behavioral1/memory/2564-52-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/2020-104-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/2564-107-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/2492-110-0x0000000000400000-0x0000000000420000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames -
UPX dump on OEP (original entry point) 7 IoCs
resource yara_rule behavioral1/memory/2020-0-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral1/files/0x000700000001471d-5.dat UPX behavioral1/memory/2564-52-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral1/memory/2492-88-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral1/memory/2020-104-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral1/memory/2564-107-0x0000000000400000-0x0000000000420000-memory.dmp UPX behavioral1/memory/2492-110-0x0000000000400000-0x0000000000420000-memory.dmp UPX -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2020-0-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral1/files/0x000700000001471d-5.dat upx behavioral1/memory/2564-52-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral1/memory/2492-88-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral1/memory/2020-104-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral1/memory/2564-107-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral1/memory/2492-110-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\J: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\L: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\S: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\Y: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\H: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\V: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\W: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\Z: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\I: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\K: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\N: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\P: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\X: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\Q: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\R: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\T: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\A: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\E: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\G: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\M: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\O: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File opened (read-only) \??\U: 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe -
Drops file in System32 directory 10 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\nude gay catfight .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\asian lesbian uncut circumcision (Britney,Jenna).mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\System32\DriverStore\Temp\action public nipples .mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\SysWOW64\FxsTmp\american cumshot lesbian licking hole black hairunshaved (Sandy,Sylvia).mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\SysWOW64\IME\shared\french nude full movie beautyfull .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\System32\LogFiles\Fax\Incoming\french sperm hidden stockings (Melissa).rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\SysWOW64\config\systemprofile\brasilian fucking sleeping pregnant .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\asian lesbian masturbation sm .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\SysWOW64\FxsTmp\hardcore porn [bangbus] penetration .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\SysWOW64\IME\shared\spanish fucking blowjob voyeur nipples circumcision .mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files\Common Files\Microsoft Shared\german fetish fetish big .mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Program Files (x86)\Google\Update\Download\black nude beast voyeur cock high heels .mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\brasilian xxx action hidden girly .rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Program Files (x86)\Microsoft Office\Templates\gay hardcore public hotel (Melissa).avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\norwegian porn animal several models hairy .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Program Files (x86)\Common Files\microsoft shared\blowjob [bangbus] .mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\hardcore animal big .mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\malaysia cum action lesbian sweet .mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Program Files\DVD Maker\Shared\handjob girls cock .mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Program Files\Windows Journal\Templates\cum girls granny .mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\canadian animal full movie circumcision .mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Program Files (x86)\Google\Temp\hardcore big .mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\indian hardcore masturbation bondage .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\handjob [milf] legs hairy .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\kicking horse several models balls .mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\trambling girls (Sarah).mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\norwegian hardcore sperm [free] stockings (Melissa,Anniston).rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\swedish cum full movie feet traffic (Tatjana,Sonja).rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\russian gang bang gay lesbian vagina .mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\indian animal big legs gorgeoushorny .rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\ServiceProfiles\NetworkService\Downloads\asian nude sleeping (Janette).rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\xxx sleeping (Janette,Tatjana).mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\cumshot horse [milf] vagina .rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\norwegian lesbian sleeping cock .rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\handjob sleeping beautyfull .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\canadian cumshot public young (Sonja,Sarah).avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\SoftwareDistribution\Download\canadian fucking girls 50+ .mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\cum beastiality [milf] circumcision .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\tyrkish handjob sleeping glans hotel (Jenna,Sandy).mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\chinese fucking animal hidden glans .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\german trambling girls glans leather .mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\lingerie masturbation black hairunshaved .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\danish hardcore voyeur .rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\mssrv.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\italian cum lesbian [free] pregnant .mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\danish cumshot xxx sleeping ash (Jenna).rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\beastiality sleeping legs ìï (Anniston).mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\italian blowjob uncut high heels (Curtney,Gina).avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\xxx nude voyeur .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\lingerie big .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\trambling several models traffic .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\horse hardcore [bangbus] (Sarah).mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\brasilian blowjob sperm big stockings .mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\french sperm public .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\gang bang [bangbus] black hairunshaved (Christine).rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\blowjob public glans .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\african xxx sleeping cock stockings .mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\fucking lesbian mature .rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\chinese kicking hidden high heels (Gina).mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\swedish blowjob horse hot (!) shower .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\black beast girls ash granny .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\InstallTemp\american lesbian uncut pregnant .rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\chinese kicking public glans femdom .mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\horse gay lesbian .rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\kicking horse public .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\japanese horse fucking [milf] ash .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\canadian sperm [free] legs black hairunshaved .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\PLA\Templates\brasilian fucking lesbian girls boots (Melissa,Janette).rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\hardcore beastiality sleeping hotel (Janette,Britney).zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\asian xxx action voyeur hole femdom .rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\tyrkish handjob [bangbus] legs .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\malaysia gang bang action lesbian boobs YEâPSè& .rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\black blowjob several models castration (Sarah,Sonja).mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\spanish lingerie full movie .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\action gang bang lesbian .rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\horse lingerie voyeur hole .rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\black action hot (!) .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\horse lingerie big 50+ .mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\american kicking beast catfight mature .mpeg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\horse gay masturbation ash femdom (Christine).avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\ServiceProfiles\LocalService\Downloads\canadian fetish several models latex .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\cum public .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\swedish xxx [free] boobs .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\beast lingerie sleeping (Jade).rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\Temp\black fetish porn hot (!) fishy .avi.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\russian lesbian animal hidden boobs swallow .mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\italian porn full movie castration .zip.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\brasilian lingerie cumshot girls (Sandy,Sonja).rar.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\british nude [bangbus] ash YEâPSè& .mpg.exe 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 2492 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2020 wrote to memory of 2564 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 28 PID 2020 wrote to memory of 2564 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 28 PID 2020 wrote to memory of 2564 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 28 PID 2020 wrote to memory of 2564 2020 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 28 PID 2564 wrote to memory of 2492 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 29 PID 2564 wrote to memory of 2492 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 29 PID 2564 wrote to memory of 2492 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 29 PID 2564 wrote to memory of 2492 2564 091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe"C:\Users\Admin\AppData\Local\Temp\091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe"C:\Users\Admin\AppData\Local\Temp\091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Local\Temp\091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe"C:\Users\Admin\AppData\Local\Temp\091ca27bca23c9221911b2b6e44574173a4df0a0e00f5e59e15686be8e3b38e5.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2492
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5758a114b05413211d9f50f2fb1732156
SHA1eaf0695171f72b0331bc5b92480296121e0caf3a
SHA256baf15d29bd5be1bc12413d361128f5ddd7211497cab0e0983eeb5fc72abe7bf9
SHA5120c365f7ded5dc0d2850684a12de1dcb66c57b4fc3f2f6ee42d18a42339e0bdb26b5680d3efd0e49d43a0e867a1f72720195c3c3c585c6af9295b4d8f484c4928