dfcda277f7ec2e90d242da4e39d680c278cb822fa718b0a31a358d66f7b7a09f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4edcd0bccdf36311e56f7a0abfc58a67.exe
Size

407KB
MD5

4edcd0bccdf36311e56f7a0abfc58a67
SHA1

5571ec2b92ae49c0a248469400abf93c11bc73f3
SHA256

dfcda277f7ec2e90d242da4e39d680c278cb822fa718b0a31a358d66f7b7a09f
SHA512

6c4ddb2f0f4d0ea0a537f226ad0c2c26a621bc8bd0525351a055aa6c847dccc5983a622404bd7b8d29042b9554c77948242b1ffad588773e17b4a21cbb64cd85
SSDEEP

6144:aDOxZXrSHXUTsiJcsSM0lo3uXfVBz2pGhTSPVLB4BKrim0T8+nzA9PCezWpg3m:lXa8si5SdV8cWtLW4rGQ+zA9qqjW

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	4edcd0bccdf36311e56f7a0abfc58a67.exe
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	4edcd0bccdf36311e56f7a0abfc58a67.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	4edcd0bccdf36311e56f7a0abfc58a67.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\V:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\B:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\G:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\L:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\M:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\P:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\R:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\T:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\W:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\A:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\H:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\X:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\Y:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\S:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\U:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\Z:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\E:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\N:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\O:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\Q:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\I:	4edcd0bccdf36311e56f7a0abfc58a67.exe
File opened (read-only)	\??\J:	4edcd0bccdf36311e56f7a0abfc58a67.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\kicking masturbation 40+ .avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\asian blowjob lingerie voyeur boobs (Jade,Christine).mpg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\SysWOW64\FxsTmp\danish gay hidden lady .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\SysWOW64\config\systemprofile\norwegian trambling [milf] .mpg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\System32\DriverStore\Temp\nude several models cock traffic (Karin,Britney).mpg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\SysWOW64\FxsTmp\gay hardcore uncut young (Christine).rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\SysWOW64\IME\SHARED\beastiality handjob hidden titts pregnant .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish bukkake bukkake several models .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\animal hardcore [free] .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\brasilian sperm voyeur granny .avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\asian gay hardcore big .avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black kicking [bangbus] cock redhair (Curtney).avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\swedish horse horse voyeur nipples .rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\german horse cum licking young .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\african lingerie beastiality public titts young .mpg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files\Microsoft Office\root\Templates\chinese horse animal hot (!) feet mistress (Sandy,Curtney).rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\kicking action big latex .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\fucking sperm big bedroom (Britney).zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\fetish fetish licking hotel (Gina,Sylvia).mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files\dotnet\shared\japanese sperm several models ash .mpg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\italian lesbian sperm lesbian nipples sm .rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files (x86)\Google\Temp\spanish sperm voyeur sweet (Jade,Jenna).mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\asian fucking sleeping cock upskirt .rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files (x86)\Microsoft\Temp\brasilian action horse several models granny (Samantha,Sonja).mpg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\gang bang bukkake lesbian feet traffic (Sandy).mpg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\animal [bangbus] YEâPSè& (Jenna,Sonja).zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\fucking trambling catfight (Jenna).avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files (x86)\Google\Update\Download\danish gay cum licking boobs penetration .rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\asian horse xxx uncut (Curtney).rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Program Files\Common Files\microsoft shared\asian fetish blowjob hot (!) titts mistress .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\bukkake cumshot [milf] latex (Ashley,Tatjana).avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\chinese gang bang hidden .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\african hardcore fucking lesbian .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\swedish handjob sleeping boobs (Tatjana,Samantha).rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\chinese lingerie fucking several models latex .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\beastiality licking wifey (Karin).zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\japanese porn xxx licking legs .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\italian kicking bukkake [bangbus] mature .rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\norwegian beast full movie cock beautyfull .avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\asian horse catfight (Janette,Curtney).mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\indian sperm trambling voyeur black hairunshaved (Jenna,Jenna).mpg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\russian horse hot (!) latex .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\porn public mature .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\trambling gang bang lesbian balls .rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\asian horse horse hidden boots (Anniston).rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\lesbian [free] .mpg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\horse cumshot [free] ash .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\malaysia nude girls .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\SoftwareDistribution\Download\spanish cumshot catfight leather .mpg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\spanish cumshot sleeping vagina .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\beastiality full movie .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\french lesbian cum licking glans .rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\malaysia fucking big (Tatjana).rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\gay voyeur vagina .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\tyrkish porn [bangbus] castration (Janette,Tatjana).mpg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\action sperm uncut .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\gay lingerie [bangbus] redhair (Britney).rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\fucking fetish [free] .avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\animal uncut (Sonja,Ashley).avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\german cumshot lingerie full movie .rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\animal porn uncut boots .mpg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\german fucking big boobs castration .avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\cum catfight leather (Christine,Samantha).zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\german horse hidden .rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\hardcore big (Kathrin).rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\assembly\tmp\african xxx cum public latex .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\british lingerie cum [milf] .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\american kicking xxx big .avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca03036af4a5017e\trambling gang bang hidden cock .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\fetish beastiality full movie swallow (Janette).rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\swedish bukkake kicking hidden nipples castration (Tatjana).rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\PLA\Templates\malaysia bukkake sperm uncut hole balls .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\brasilian gay masturbation legs mature .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\action sperm big cock gorgeoushorny .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\horse uncut fishy (Janette,Liz).mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\russian action full movie Ôï .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\lesbian horse public .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\japanese cumshot voyeur .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\japanese action bukkake [free] (Britney,Kathrin).mpg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\italian trambling action hidden bondage .avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\kicking beastiality public shower .rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\canadian horse voyeur .rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\kicking hot (!) .avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\fucking animal uncut titts bedroom .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\animal gang bang hidden .avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\malaysia handjob full movie ejaculation .rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\italian kicking fetish full movie redhair .rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\swedish hardcore xxx girls .mpeg.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\kicking full movie hole 40+ .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\canadian sperm hot (!) feet .avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\brasilian animal uncut swallow .rar.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\norwegian fucking big hole 50+ .zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\tyrkish sperm [free] feet (Sonja,Sylvia).zip.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\lingerie fetish [bangbus] sweet (Gina).avi.exe	4edcd0bccdf36311e56f7a0abfc58a67.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
3756	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
3756	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
3756	4edcd0bccdf36311e56f7a0abfc58a67.exe
3756	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
3756	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
3756	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
3756	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
3756	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
3756	4edcd0bccdf36311e56f7a0abfc58a67.exe
3756	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
3756	4edcd0bccdf36311e56f7a0abfc58a67.exe
3756	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
1464	4edcd0bccdf36311e56f7a0abfc58a67.exe
3756	4edcd0bccdf36311e56f7a0abfc58a67.exe
3756	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
3056	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe
4388	4edcd0bccdf36311e56f7a0abfc58a67.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 3056	1464	4edcd0bccdf36311e56f7a0abfc58a67.exe	90
PID 1464 wrote to memory of 3056	1464	4edcd0bccdf36311e56f7a0abfc58a67.exe	90
PID 1464 wrote to memory of 3056	1464	4edcd0bccdf36311e56f7a0abfc58a67.exe	90
PID 1464 wrote to memory of 4388	1464	4edcd0bccdf36311e56f7a0abfc58a67.exe	91
PID 1464 wrote to memory of 4388	1464	4edcd0bccdf36311e56f7a0abfc58a67.exe	91
PID 1464 wrote to memory of 4388	1464	4edcd0bccdf36311e56f7a0abfc58a67.exe	91
PID 3056 wrote to memory of 3756	3056	4edcd0bccdf36311e56f7a0abfc58a67.exe	92
PID 3056 wrote to memory of 3756	3056	4edcd0bccdf36311e56f7a0abfc58a67.exe	92
PID 3056 wrote to memory of 3756	3056	4edcd0bccdf36311e56f7a0abfc58a67.exe	92

C:\Users\Admin\AppData\Local\Temp\4edcd0bccdf36311e56f7a0abfc58a67.exe
"C:\Users\Admin\AppData\Local\Temp\4edcd0bccdf36311e56f7a0abfc58a67.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Users\Admin\AppData\Local\Temp\4edcd0bccdf36311e56f7a0abfc58a67.exe
  "C:\Users\Admin\AppData\Local\Temp\4edcd0bccdf36311e56f7a0abfc58a67.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\4edcd0bccdf36311e56f7a0abfc58a67.exe
    "C:\Users\Admin\AppData\Local\Temp\4edcd0bccdf36311e56f7a0abfc58a67.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3756
- C:\Users\Admin\AppData\Local\Temp\4edcd0bccdf36311e56f7a0abfc58a67.exe
  "C:\Users\Admin\AppData\Local\Temp\4edcd0bccdf36311e56f7a0abfc58a67.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\kicking action big latex .zip.exe

Filesize
1.2MB

MD5
ada4a61a65adc5261cc54f58eb540949

SHA1
338a33d14f4e5ad2415dd323b80ebb34e08d2372

SHA256
4767532ab7dd711c57c65ac42af58da1155b4e83c2bc69b087e7b29d4c98b84d

SHA512
1b464515505be26811b19a6ea79e8ec2d7fd61eb29e8c3bed96b9a1b7dab3931ed9906de50a985d97d2b28de460d54c5ccc8213619b65928855c5e25f1fcdad4

Download Submit
memory/1464-226-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-189-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-246-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-183-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-242-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-238-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-188-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-234-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-205-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-195-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-218-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-214-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-209-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-222-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1464-230-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3056-12-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3756-186-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4388-185-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4388-145-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download