Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 01:39
Behavioral task
behavioral1
Sample
b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe
Resource
win10v2004-20240226-en
General
-
Target
b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe
-
Size
674KB
-
MD5
66d399a25afa81e7e00773b0bd7f5ffa
-
SHA1
d81129912c23d461d1644eb8a3b0cfad6d4bb30c
-
SHA256
b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb
-
SHA512
b27013de1c07bdd81cb1bd3617b6f7ccfd3d82fe94687456a55d9370b44cc7c6c614aa40344d4d85c2fd795e3d571771ee2610985ed91567c3c1f930143d75d9
-
SSDEEP
12288:VEQoSmyv4iAfeomJ+VURrVfH4gMBAmbBeu2rXjevNcRze2LFDewBMI35Apea:VVh0CJ+VEBPOBAm9grXjevNoeseAApea
Malware Config
Signatures
-
Detects executables containing possible sandbox analysis VM usernames 4 IoCs
Processes:
resource yara_rule behavioral1/memory/3000-93-0x0000000000400000-0x000000000041F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/2700-99-0x0000000000400000-0x000000000041F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/2484-100-0x0000000000400000-0x000000000041F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames behavioral1/memory/2464-101-0x0000000000400000-0x000000000041F000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxUserNames -
UPX dump on OEP (original entry point) 9 IoCs
Processes:
resource yara_rule behavioral1/memory/3000-0-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral1/files/0x0007000000015364-5.dat UPX behavioral1/memory/3000-9-0x0000000004970000-0x000000000498F000-memory.dmp UPX behavioral1/memory/2484-54-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral1/memory/3000-93-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral1/memory/3000-96-0x0000000004970000-0x000000000498F000-memory.dmp UPX behavioral1/memory/2700-99-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral1/memory/2484-100-0x0000000000400000-0x000000000041F000-memory.dmp UPX behavioral1/memory/2464-101-0x0000000000400000-0x000000000041F000-memory.dmp UPX -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/3000-0-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/files/0x0007000000015364-5.dat upx behavioral1/memory/3000-9-0x0000000004970000-0x000000000498F000-memory.dmp upx behavioral1/memory/2484-54-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/3000-93-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/3000-96-0x0000000004970000-0x000000000498F000-memory.dmp upx behavioral1/memory/2700-99-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/2484-100-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/2464-101-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exedescription ioc Process File opened (read-only) \??\Y: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\G: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\O: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\Q: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\U: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\P: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\T: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\V: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\W: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\A: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\H: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\I: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\L: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\B: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\E: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\N: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\R: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\X: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\Z: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\J: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\K: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\M: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File opened (read-only) \??\S: b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe -
Drops file in System32 directory 10 IoCs
Processes:
b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exedescription ioc Process File created C:\Windows\SysWOW64\config\systemprofile\bukkake sleeping pregnant .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\System32\DriverStore\Temp\trambling [milf] mistress .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\SysWOW64\IME\shared\xxx voyeur leather .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\lesbian girls high heels .zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\SysWOW64\FxsTmp\bukkake masturbation glans hairy .mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian fetish lesbian catfight hole .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\SysWOW64\FxsTmp\russian horse gay lesbian girly .mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\System32\LogFiles\Fax\Incoming\danish handjob horse masturbation feet latex .zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\SysWOW64\config\systemprofile\sperm several models beautyfull .zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\SysWOW64\IME\shared\lingerie full movie .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe -
Drops file in Program Files directory 15 IoCs
Processes:
b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exedescription ioc Process File created C:\Program Files\Common Files\Microsoft Shared\blowjob full movie granny (Sonja,Janette).mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Program Files (x86)\Google\Temp\animal gay several models ejaculation .zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Program Files (x86)\Google\Update\Download\american kicking bukkake full movie swallow .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\black beastiality fucking uncut mature .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Program Files\Windows Journal\Templates\american action bukkake [free] titts shoes .mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Program Files (x86)\Common Files\microsoft shared\tyrkish handjob bukkake [free] feet YEâPSè& .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\danish beastiality gay uncut glans hairy (Sarah).mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\brasilian nude fucking lesbian balls .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Program Files\Windows Sidebar\Shared Gadgets\bukkake [free] .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\horse girls glans penetration .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\american cum trambling girls hole high heels (Karin).zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Program Files (x86)\Microsoft Office\Templates\japanese cum horse full movie .zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\swedish horse horse catfight sweet .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Program Files\DVD Maker\Shared\blowjob licking titts circumcision .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\indian kicking fucking big hole lady .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe -
Drops file in Windows directory 64 IoCs
Processes:
b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exedescription ioc Process File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\african sperm hot (!) boots .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\lesbian [milf] femdom .rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\lesbian [bangbus] (Tatjana).avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\blowjob licking glans .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\danish animal trambling voyeur bondage (Britney,Sylvia).zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\italian horse sperm licking sm .rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\danish handjob sperm public (Jade).mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\porn trambling several models (Curtney).mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\chinese horse hidden .mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\handjob bukkake [bangbus] titts ejaculation (Jade).avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\sperm [free] .mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\hardcore masturbation (Janette).mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\african lesbian girls glans high heels .mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\lesbian voyeur high heels .rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\gang bang blowjob several models cock (Sonja,Curtney).mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\chinese bukkake [bangbus] castration .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\SoftwareDistribution\Download\russian animal blowjob voyeur femdom .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\lesbian masturbation mistress .rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\italian handjob xxx hidden cock .zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\lesbian public glans (Christine,Tatjana).mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\cumshot hardcore sleeping cock hotel (Tatjana).mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\InstallTemp\spanish horse girls cock .rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\german trambling lesbian (Curtney).avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\xxx catfight .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\ServiceProfiles\NetworkService\Downloads\bukkake masturbation feet .rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\hardcore licking feet femdom .rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\british gay several models ejaculation .rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\animal hardcore several models hole stockings .rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\indian cumshot blowjob hidden .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\gang bang gay uncut sweet .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\beastiality trambling public cock ejaculation (Melissa).rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\fucking licking glans .mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\ServiceProfiles\LocalService\Downloads\xxx several models (Karin).rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\fetish sperm sleeping shower .zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\danish handjob gay [bangbus] gorgeoushorny .zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\swedish cumshot hardcore uncut feet YEâPSè& .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\japanese gang bang horse licking feet bondage (Karin).zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\lesbian sleeping boots .rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\xxx hidden glans mature (Karin).zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\spanish gay sleeping 40+ (Anniston,Curtney).mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\norwegian blowjob voyeur cock young .rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\nude xxx hidden .rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\cum horse full movie hole .mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\assembly\temp\lingerie sleeping glans .mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\american nude horse full movie hole .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\trambling licking glans blondie .mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\trambling [bangbus] .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\Downloaded Program Files\danish fetish beast catfight (Liz).mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\russian animal beast uncut hole lady .rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\beastiality sperm catfight redhair .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\animal beast sleeping glans (Kathrin,Sylvia).zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\cumshot blowjob hot (!) .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\french xxx hot (!) penetration .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\spanish blowjob [milf] circumcision .zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\brasilian nude sperm hidden glans .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\norwegian blowjob [free] (Samantha).rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\american porn bukkake [bangbus] swallow .rar.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\gang bang horse masturbation shoes .avi.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\chinese beast [free] .mpg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\xxx hidden boots .zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\xxx hidden cock (Sandy,Liz).mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\spanish hardcore licking mistress .zip.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\spanish blowjob masturbation 40+ (Britney,Janette).mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe File created C:\Windows\PLA\Templates\gay sleeping castration .mpeg.exe b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exeb026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exeb026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exeb026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exepid Process 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2484 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 2464 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exeb026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exedescription pid Process procid_target PID 3000 wrote to memory of 2700 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 28 PID 3000 wrote to memory of 2700 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 28 PID 3000 wrote to memory of 2700 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 28 PID 3000 wrote to memory of 2700 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 28 PID 3000 wrote to memory of 2464 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 29 PID 3000 wrote to memory of 2464 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 29 PID 3000 wrote to memory of 2464 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 29 PID 3000 wrote to memory of 2464 3000 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 29 PID 2700 wrote to memory of 2484 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 30 PID 2700 wrote to memory of 2484 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 30 PID 2700 wrote to memory of 2484 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 30 PID 2700 wrote to memory of 2484 2700 b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe"C:\Users\Admin\AppData\Local\Temp\b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe"1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe"C:\Users\Admin\AppData\Local\Temp\b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe"C:\Users\Admin\AppData\Local\Temp\b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2484
-
-
-
C:\Users\Admin\AppData\Local\Temp\b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe"C:\Users\Admin\AppData\Local\Temp\b026085d9766cd27a06db958f10cd7d1084ddb235b377b235797b47c5be2e1fb.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
751KB
MD59ab57e3542d9d72968a2777b42a4f071
SHA11c99e84fe6faf6c1a3cb8d1d80fc3f24bb87ba1e
SHA2564217509e1f8f72ed104abd9315a07eac4a02c473185ef2979432688bb793792b
SHA512f59c176ba7b96a3e474967aab0e9ad2d887be276a66c4ee808f956eda25a0678bf7dda1bf97b5ae094e8bcacd22b36f5b3b1790d7ed86241a2b227a55789dc2f
-
Filesize
183B
MD5a54826a7bc3b21cf96e7f73c3693cdb1
SHA1d4a9f73f0b8891fe356359c44f43393330fdb46f
SHA256952816e405a8a890e6e3c72a1034698098312f645028cacbe85f052f97934285
SHA512160af80cc91089c1d06f9360e86b481d8b7b21efafb1fd96759a61a12b6f2a55adeb0d4e9d260598807a49722e275db397f531273c3bfc72eb21c4093bb81253