9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7

Analysis

max time kernel
177s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
Size

445KB
MD5

26ed7231a29bff1733360b535ad1b9da
SHA1

056d973506e71b1c570aa1a19f8a7bbaec1df297
SHA256

9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7
SHA512

b7037c1bacdd76dc563ffa09c6dcf5ccccb80ef5a20aa3d01559df1f065efc5680e1fd24e34f2b3a8d559e95b34a1216c5feea77f5b0a95b50d72be0d732c896
SSDEEP

12288:oGHasii9B137B9OsFeH6mpcF0H3LSi0vw9+EN98FrsAFXkm:86B7B9OsAH6maQ330vw9HEAAl

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023240-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\I:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\N:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\O:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\T:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\U:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\W:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\Y:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\H:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\K:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\L:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\P:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\S:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\X:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\Z:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\A:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\E:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\J:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\M:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\R:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\B:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\Q:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File opened (read-only)	\??\V:	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\porn masturbation .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\SysWOW64\FxsTmp\hardcore [milf] .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\spanish trambling [free] (Kathrin,Curtney).mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\SysWOW64\config\systemprofile\trambling [milf] ¼ë .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\System32\DriverStore\Temp\italian beast cum big glans hairy .avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\norwegian gang bang kicking [bangbus] ¤ç .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\beastiality gang bang lesbian penetration .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\chinese horse trambling licking .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\SysWOW64\FxsTmp\animal uncut feet black hairunshaved (Gina,Jenna).zip.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\SysWOW64\IME\SHARED\animal [bangbus] .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\SysWOW64\IME\SHARED\gang bang catfight ¼ë .avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\british beast several models circumcision .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\chinese cum masturbation titts (Christine,Kathrin).mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\cum voyeur circumcision .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\british hardcore gay catfight leather .avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\action horse girls hole ash .avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files\Common Files\microsoft shared\beastiality full movie cock bondage .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files\Microsoft Office\root\Templates\japanese porn porn big .zip.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\tyrkish beastiality licking ejaculation .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\nude beast hidden mistress .zip.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\horse nude girls circumcision .zip.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files (x86)\Google\Update\Download\tyrkish kicking bukkake masturbation black hairunshaved (Sylvia).mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\chinese fucking beastiality hidden .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\chinese porn bukkake uncut vagina (Kathrin).avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\hardcore beastiality catfight .zip.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\swedish action uncut upskirt (Sonja,Jade).avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files (x86)\Google\Temp\handjob gang bang lesbian boobs bondage .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files\dotnet\shared\brasilian horse hidden .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\xxx catfight legs balls .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\british lesbian lesbian swallow .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\american gang bang horse catfight titts hairy (Samantha,Jenna).rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\swedish cum girls titts shower .zip.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\CbsTemp\brasilian beast lingerie [bangbus] .avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\handjob voyeur high heels (Karin).mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\cum action hidden hole .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\cumshot handjob [milf] circumcision .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\kicking horse licking (Jenna).zip.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\italian lingerie blowjob licking mistress .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\trambling fucking lesbian vagina .zip.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\gang bang uncut redhair (Gina,Kathrin).mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\indian nude lesbian boobs .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\beastiality several models feet bondage (Anniston,Tatjana).mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\chinese cum lesbian ash ash .avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\porn public (Gina,Christine).mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\beast gang bang [free] .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\nude action hidden pregnant .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\mssrv.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\french beastiality gang bang public ash .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\bukkake bukkake catfight hole .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\action masturbation .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\french cum xxx public nipples 50+ .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\fetish lingerie [free] castration .zip.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\malaysia hardcore full movie .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\gay [bangbus] legs .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\swedish blowjob uncut ejaculation .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\canadian blowjob uncut mature (Sandy).avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\xxx [milf] titts shoes (Liz,Tatjana).mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\lesbian trambling hidden (Sandy,Jenna).avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\horse hardcore hidden legs 40+ .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\british cumshot voyeur boots .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\tyrkish sperm blowjob uncut hole .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\beastiality hot (!) balls .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\indian horse cumshot [bangbus] glans blondie (Sylvia).rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\black hardcore gay full movie young .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\nude catfight black hairunshaved .avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\animal [bangbus] fishy .avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\horse nude sleeping girly (Sandy).avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\american lingerie hot (!) nipples bondage .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\fetish animal several models legs .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\PLA\Templates\german hardcore lingerie catfight bondage (Liz).avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\italian bukkake kicking catfight (Britney,Sarah).rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\black cumshot girls wifey .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\russian blowjob action [free] vagina girly .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\action cumshot catfight .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\assembly\temp\canadian cum full movie bedroom .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\american handjob kicking sleeping .zip.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\asian gay handjob hot (!) hairy (Melissa).mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\trambling bukkake licking feet .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\animal public penetration .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\indian lesbian [milf] .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\lingerie [milf] penetration (Liz,Jade).avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\action cumshot licking girly .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\nude girls bedroom .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\porn action hidden boobs boots .avi.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\british gang bang [free] .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\SoftwareDistribution\Download\canadian lesbian [bangbus] .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\nude public ash sm .rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\trambling big wifey .mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\nude cumshot [bangbus] (Sarah).mpeg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\african kicking masturbation pregnant (Gina,Sarah).zip.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\gang bang cum hidden .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\assembly\tmp\chinese lingerie beastiality [free] YEâPSè& .mpg.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\malaysia fucking xxx [free] sm (Sarah,Jenna).rar.exe	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1164	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1164	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1164	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1164	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1164	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1164	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1164	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1164	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1164	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1164	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1164	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1164	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1164	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1164	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
3928	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1880	748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe	89
PID 748 wrote to memory of 1880	748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe	89
PID 748 wrote to memory of 1880	748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe	89
PID 748 wrote to memory of 3928	748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe	90
PID 748 wrote to memory of 3928	748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe	90
PID 748 wrote to memory of 3928	748	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe	90
PID 1880 wrote to memory of 1164	1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe	91
PID 1880 wrote to memory of 1164	1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe	91
PID 1880 wrote to memory of 1164	1880	9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe	91

C:\Users\Admin\AppData\Local\Temp\9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
"C:\Users\Admin\AppData\Local\Temp\9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
  "C:\Users\Admin\AppData\Local\Temp\9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
    "C:\Users\Admin\AppData\Local\Temp\9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1164
- C:\Users\Admin\AppData\Local\Temp\9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe
  "C:\Users\Admin\AppData\Local\Temp\9a48b39f2a626c419579008ddc72b93c58cdd205f99d670f9dbf4ffd641f6df7.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\chinese cum masturbation titts (Christine,Kathrin).mpg.exe

Filesize
267KB

MD5
f66564add449a8c6182d519b773d5167

SHA1
e8bdd47514eabf12d4a0770c596b86c879ba78ac

SHA256
5af9f617d9ae2073155944a7240dbd34c1225fcc4e7b8461530bb97d00cd3b19

SHA512
da1c89f150e203b6c175abbae1e665a097c4e62be81f5cda47414dd38b56a074dc333a3d0bf378ac442784a4956af87b0b19b3e71fc761ed1f1aabce3bc4c079

Download Submit