e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
Size

537KB
MD5

769f773b5560809ea644e4432b5e5943
SHA1

eeb347feef1508a6fba612cd5c2b34adc75f6f13
SHA256

e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663
SHA512

0db8b395660a256b5c09b110c09f0efc702bb0ac5f485c111137af7cf72721b46dd0c8c89204fa62221ec5ca1a6cffbd3f86e57e73ff993ab438f232f695b8b7
SSDEEP

12288:dXCNi9B+NKqvJzlJ+9xwwC82n1FY3dP3XR1x5xKY4AJ6vZrT:oWIdJz7ywwC8JvgYv8vh

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\L:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\Q:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\A:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\E:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\G:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\U:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\H:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\R:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\T:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\O:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\W:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\Z:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\B:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\I:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\M:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\S:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\V:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\X:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\Y:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\K:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\N:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File opened (read-only)	\??\P:	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogFiles\Fax\Incoming\american animal hardcore catfight cock gorgeoushorny .rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\swedish horse lesbian big feet mistress .zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\black fetish fucking several models swallow (Gina,Tatjana).zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\SysWOW64\FxsTmp\russian handjob bukkake public feet blondie (Melissa).mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\fucking licking sweet .mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\System32\DriverStore\Temp\beast girls balls (Jenna,Liz).rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\SysWOW64\FxsTmp\french xxx licking glans 40+ (Curtney).mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\SysWOW64\IME\SHARED\black porn lesbian catfight hole stockings (Jade).rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\horse hot (!) (Curtney).mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\SysWOW64\config\systemprofile\fucking catfight cock mature (Liz).rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\SysWOW64\config\systemprofile\japanese nude horse masturbation traffic (Anniston,Tatjana).mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\SysWOW64\IME\SHARED\tyrkish cumshot beast masturbation girly .avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\horse hidden feet leather .avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\indian fetish fucking [free] cock beautyfull (Samantha).rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\black fetish lesbian girls (Samantha).mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\bukkake hidden titts (Sonja,Janette).avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\russian porn lesbian voyeur .rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files\dotnet\shared\xxx girls feet swallow (Karin).rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files\Microsoft Office\root\Templates\fucking [milf] .mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\sperm uncut glans hairy (Sylvia).avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\swedish kicking bukkake several models glans .rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files (x86)\Microsoft\Temp\sperm [milf] (Janette).mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\lingerie [milf] hole .zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\hardcore [bangbus] .rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\black porn hardcore uncut lady .avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files (x86)\Google\Update\Download\american action lingerie masturbation .zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files\Common Files\microsoft shared\american beastiality blowjob voyeur shoes .mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\danish cum gay public cock .mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\norwegian hardcore [bangbus] hole sweet .mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Program Files (x86)\Google\Temp\russian cumshot sperm lesbian .zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\danish action horse [milf] cock YEâPSè& (Jade).mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\tyrkish kicking horse hot (!) (Janette).zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\canadian hardcore public leather .mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\brasilian cum lesbian voyeur ash .zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\tyrkish action beast girls (Liz).zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.746_none_822bf1ada1526fa8\italian animal xxx lesbian feet YEâPSè& .mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\beast big redhair .rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\canadian blowjob catfight .rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\hardcore voyeur hole granny .zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\italian cumshot hardcore hidden feet gorgeoushorny (Curtney).zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_b201c2e68d8dbc0d\cum trambling hot (!) (Samantha).avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\bukkake lesbian lady (Jenna,Samantha).avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\action hardcore big blondie .avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\french fucking several models (Jade).zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\sperm [milf] black hairunshaved .mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\canadian lingerie sleeping (Janette).zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\action xxx public ejaculation .mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\fetish lesbian uncut cock stockings .avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\canadian horse [milf] castration .mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\danish horse beast uncut shower .mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\indian nude beast licking cock (Sonja,Sylvia).rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\german trambling several models feet swallow (Jade).mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\russian action gay several models castration .avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\trambling licking Ôï .mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\indian beastiality sperm hidden .mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\InstallTemp\chinese gay licking glans young .zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\indian gang bang horse [bangbus] feet .mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\british hardcore sleeping (Melissa).avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\danish fetish bukkake public hole bondage (Jade).zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\nude xxx hot (!) (Liz).rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\russian fetish beast catfight boots .zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\malaysia xxx sleeping .zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\kicking lingerie full movie feet latex (Janette).zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\Temp\british bukkake uncut penetration .zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\french sperm [free] .zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\chinese horse hidden .zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\handjob xxx girls (Tatjana).rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\asian xxx voyeur girly .mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\beastiality trambling [free] boots (Kathrin,Samantha).avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\malaysia lesbian girls titts .avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\kicking sperm girls cock .mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\porn gay uncut sweet (Britney,Janette).mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\cum sperm full movie beautyfull (Jenna,Karin).mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\horse gay hot (!) cock redhair (Tatjana).rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\blowjob girls redhair .rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\gay [milf] high heels .mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\horse masturbation titts balls (Sylvia).mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\russian cum beast masturbation .avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\asian blowjob hot (!) gorgeoushorny .mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\brasilian animal blowjob lesbian fishy .mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\mssrv.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\british trambling hot (!) glans upskirt .mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\russian gang bang bukkake masturbation titts castration .mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\french lesbian [milf] blondie (Ashley,Samantha).mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\cum trambling [free] .rar.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.746_none_292c449ed2edefa3\american action lesbian [free] hole circumcision (Janette).avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\danish horse gay hot (!) titts beautyfull (Jade).mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\german lingerie voyeur titts swallow (Melissa).mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\cum trambling hidden titts .mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\lesbian hot (!) cock .avi.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\tyrkish action bukkake several models pregnant .mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\action hardcore girls (Jade).mpg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\danish kicking blowjob girls hairy .mpeg.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\blowjob sleeping cock fishy .zip.exe	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4172	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4172	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4172	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4172	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4172	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4172	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4172	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4172	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4172	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4172	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4172	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4172	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4172	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4172	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
4016	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 4620	4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe	86
PID 4616 wrote to memory of 4620	4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe	86
PID 4616 wrote to memory of 4620	4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe	86
PID 4616 wrote to memory of 4016	4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe	87
PID 4616 wrote to memory of 4016	4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe	87
PID 4616 wrote to memory of 4016	4616	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe	87
PID 4620 wrote to memory of 4172	4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe	88
PID 4620 wrote to memory of 4172	4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe	88
PID 4620 wrote to memory of 4172	4620	e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe	88

C:\Users\Admin\AppData\Local\Temp\e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
"C:\Users\Admin\AppData\Local\Temp\e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
  "C:\Users\Admin\AppData\Local\Temp\e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
    "C:\Users\Admin\AppData\Local\Temp\e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4172
- C:\Users\Admin\AppData\Local\Temp\e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe
  "C:\Users\Admin\AppData\Local\Temp\e26767b60305fcd9301d43a132f01208cd8e3ddd1913a29f495dab06ee3be663.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\lingerie [milf] hole .zip.exe

Filesize
1.9MB

MD5
9dfbfd97b68a2c88df12a1c01357b0b6

SHA1
81db9f07df764d2d34192b271c95e6919282ebde

SHA256
b7ba73eb53ee1eeccc214dd4a918b772470bbca36e0b9d87c2eac709b225f6e6

SHA512
b33fc04023f1667c6086f9d66b5d30785a2c1539d5ccba80f3e6d4503c97698bba6c228dd4bb80d33bb0c39de16b26cee0dfa825280a6226fd20d93bc1c20086

Download Submit
memory/4016-204-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4172-205-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4616-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download