826ce34e39da7cc907325f060281a009c121ffd2def2c704d905bbf5e758c9c2

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21eebde62ef87184d6d09586b9567510.exe
Size

696KB
MD5

21eebde62ef87184d6d09586b9567510
SHA1

e7fe55345e940b3ce7d6da65daedff0ae2fd4bfa
SHA256

826ce34e39da7cc907325f060281a009c121ffd2def2c704d905bbf5e758c9c2
SHA512

64170ca8932bd23449bf8b2b1732649d6bfb0a700940ee2a698275698654d94b738c25b0cd61d8d6901b7dad56ae765a3bc3726549e836ff873663a5d4d40b7c
SSDEEP

12288:dXCNi9BxB8iBd5xSu0OlahESYDnzHX115hurQPcUMjdQna11bVhbJ:oWL8Q5T0xmSYDBEEmj4I9

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	21eebde62ef87184d6d09586b9567510.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation	21eebde62ef87184d6d09586b9567510.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	21eebde62ef87184d6d09586b9567510.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\J:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\K:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\Q:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\R:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\S:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\G:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\I:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\M:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\P:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\U:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\B:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\H:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\O:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\T:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\V:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\X:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\A:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\L:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\N:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\W:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\Y:	21eebde62ef87184d6d09586b9567510.exe
File opened (read-only)	\??\Z:	21eebde62ef87184d6d09586b9567510.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\brasilian porn horse big titts (Sandy,Sylvia).avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\System32\DriverStore\Temp\swedish cumshot trambling big penetration .rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish cum trambling several models traffic (Britney,Sylvia).mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\SysWOW64\IME\SHARED\tyrkish nude horse licking (Curtney).mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\gay catfight titts leather (Janette).mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\fucking hidden .mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\SysWOW64\FxsTmp\black animal fucking public ash (Ashley,Tatjana).avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\SysWOW64\IME\SHARED\fucking [bangbus] young .mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\SysWOW64\config\systemprofile\xxx hot (!) blondie .mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\japanese gang bang sperm [bangbus] cock lady .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\SysWOW64\config\systemprofile\swedish animal gay full movie (Curtney).mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\trambling public bedroom .mpeg.exe	21eebde62ef87184d6d09586b9567510.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\indian kicking horse licking bedroom .avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\fucking [milf] hole .mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\japanese beastiality xxx voyeur wifey .rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files (x86)\Microsoft\Temp\russian cum bukkake masturbation glans .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\brasilian cumshot trambling licking glans shoes (Sylvia).rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\black horse sperm masturbation castration .rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\fucking masturbation penetration .avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files\Microsoft Office\root\Templates\fucking public (Curtney).avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files (x86)\Google\Update\Download\black beastiality xxx [milf] castration .mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\beast big feet .mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files\Common Files\microsoft shared\japanese action horse hot (!) mature .mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files\dotnet\shared\japanese gang bang xxx masturbation (Liz).mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\japanese cum xxx [free] mature .rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\indian nude lesbian uncut glans (Anniston,Sarah).mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files (x86)\Google\Temp\russian gang bang hardcore catfight glans latex (Sylvia).rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\xxx hidden redhair .rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\lingerie girls (Melissa).mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\lingerie hidden Œã .avi.exe	21eebde62ef87184d6d09586b9567510.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\chinese horse hidden cock .rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\asian lesbian hot (!) feet .rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\american cum lesbian lesbian mature .mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\japanese horse hardcore [milf] hole (Britney,Melissa).rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\spanish blowjob masturbation cock balls (Tatjana).mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\animal fucking public (Liz).rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\tyrkish cumshot blowjob girls bondage (Britney,Sylvia).mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\beast [free] titts beautyfull (Curtney).mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\porn hardcore hot (!) high heels .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\indian handjob xxx sleeping feet blondie .mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\swedish gang bang horse licking .mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\canadian blowjob girls (Janette).mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\black handjob hardcore voyeur mistress .avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\american cumshot blowjob girls mature .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\handjob sperm big swallow (Kathrin,Karin).mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\sperm [bangbus] (Liz).zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\gang bang fucking masturbation ash (Jenna,Tatjana).avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\xxx big hole sweet (Sylvia).mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\chinese beast [free] .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\lingerie uncut lady .rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\chinese fucking [bangbus] glans balls (Tatjana).mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\PLA\Templates\american beastiality gay sleeping .mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\african gay uncut feet .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\cumshot gay hidden penetration .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\american gang bang bukkake uncut cock .avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\danish beastiality xxx [bangbus] hole mature .rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\lesbian [milf] .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\canadian fucking [bangbus] hole (Ashley,Liz).mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\danish fetish horse sleeping cock stockings .avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\horse hidden glans young (Karin).mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\american porn horse [free] hole .mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\gay full movie blondie .avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\kicking beast [milf] YEâPSè& .mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\beastiality lingerie masturbation titts (Sonja,Melissa).zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\italian horse gay [free] sweet .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\german fucking catfight (Sarah).mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\german beast girls feet .mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\lesbian hidden .rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\russian gang bang blowjob licking feet (Sandy,Sarah).mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\cum bukkake girls .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\Temp\bukkake hot (!) feet hairy .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\xxx lesbian glans latex .mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\asian beast [free] redhair (Jenna,Sylvia).mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\canadian lingerie catfight .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\beast sleeping feet (Anniston,Liz).avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\russian fetish lingerie full movie .mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\trambling [bangbus] circumcision .rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\nude hardcore hidden .rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\indian gang bang lingerie girls mistress .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\asian lesbian lesbian ash .mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\russian nude bukkake masturbation (Melissa).mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\kicking beast hot (!) cock hotel (Curtney).avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\german blowjob licking ejaculation .rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\canadian blowjob [milf] cock Ôï (Jade).rar.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\french hardcore uncut glans gorgeoushorny .avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\swedish gang bang fucking [milf] .mpeg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\xxx [milf] titts swallow .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\german lesbian hot (!) sweet .mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\gang bang lingerie [bangbus] girly .zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\spanish bukkake full movie .mpg.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\german sperm licking granny .avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\black cumshot gay masturbation hole (Christine,Karin).avi.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\security\templates\lesbian big (Sylvia).zip.exe	21eebde62ef87184d6d09586b9567510.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\brasilian animal sperm hidden titts (Jenna,Samantha).mpeg.exe	21eebde62ef87184d6d09586b9567510.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4104	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
544	21eebde62ef87184d6d09586b9567510.exe
544	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
544	21eebde62ef87184d6d09586b9567510.exe
544	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
544	21eebde62ef87184d6d09586b9567510.exe
544	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
544	21eebde62ef87184d6d09586b9567510.exe
544	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
544	21eebde62ef87184d6d09586b9567510.exe
544	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
544	21eebde62ef87184d6d09586b9567510.exe
544	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
4104	21eebde62ef87184d6d09586b9567510.exe
544	21eebde62ef87184d6d09586b9567510.exe
544	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
2116	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe
4972	21eebde62ef87184d6d09586b9567510.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 2116	4104	21eebde62ef87184d6d09586b9567510.exe	85
PID 4104 wrote to memory of 2116	4104	21eebde62ef87184d6d09586b9567510.exe	85
PID 4104 wrote to memory of 2116	4104	21eebde62ef87184d6d09586b9567510.exe	85
PID 4104 wrote to memory of 4972	4104	21eebde62ef87184d6d09586b9567510.exe	86
PID 4104 wrote to memory of 4972	4104	21eebde62ef87184d6d09586b9567510.exe	86
PID 4104 wrote to memory of 4972	4104	21eebde62ef87184d6d09586b9567510.exe	86
PID 2116 wrote to memory of 544	2116	21eebde62ef87184d6d09586b9567510.exe	87
PID 2116 wrote to memory of 544	2116	21eebde62ef87184d6d09586b9567510.exe	87
PID 2116 wrote to memory of 544	2116	21eebde62ef87184d6d09586b9567510.exe	87

C:\Users\Admin\AppData\Local\Temp\21eebde62ef87184d6d09586b9567510.exe
"C:\Users\Admin\AppData\Local\Temp\21eebde62ef87184d6d09586b9567510.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Local\Temp\21eebde62ef87184d6d09586b9567510.exe
  "C:\Users\Admin\AppData\Local\Temp\21eebde62ef87184d6d09586b9567510.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\21eebde62ef87184d6d09586b9567510.exe
    "C:\Users\Admin\AppData\Local\Temp\21eebde62ef87184d6d09586b9567510.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:544
- C:\Users\Admin\AppData\Local\Temp\21eebde62ef87184d6d09586b9567510.exe
  "C:\Users\Admin\AppData\Local\Temp\21eebde62ef87184d6d09586b9567510.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\lingerie girls (Melissa).mpg.exe

Filesize
769KB

MD5
ea9c58b83aa7e0f86a67b31b3d0ee8e6

SHA1
cde74ea3a4275e92c5f440d63b304bb3da8a6681

SHA256
04e452b2d8f92adc4a51fcd4190144956f1be6ac5f4e6e1a1cb6bef13386ca5d

SHA512
4a8d82b3d1a4ea416cfa79eb2944fc7988ee4e7af9df2c29544f255a75d6e4e1689e2ef4c2d430e6c4c63c18b93e7c498458fccb8254b57b5c3a7782622a7f0e

Download Submit