9039552109c1bc00ddd636cca5de86e68614587e661972aa6a3dd4ed37bbdf6b

General

Target

135b576f722ba278b107ce64b8d5b2a0.exe
Size

1.3MB
MD5

135b576f722ba278b107ce64b8d5b2a0
SHA1

63605199553a891ae858169cadbc8059669c9fc0
SHA256

9039552109c1bc00ddd636cca5de86e68614587e661972aa6a3dd4ed37bbdf6b
SHA512

911bfeb42e8d129bf06b532bf70e164574b086ed0be98f9818b6cf0c30b94f7112a8809148d862f6e4747cb0e98743a26cf8ca87a4f5181a1990eb2c8d16fe8c
SSDEEP

24576:oWQCRioZGyAIISOJpThV7tUU/81fKSK/nhVW+7u+OqKf4KfL6ZI7gyj7yihGq:VQCUyxO7d81SrnrWC9SdWE

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

135b576f722ba278b107ce64b8d5b2a0.exe135b576f722ba278b107ce64b8d5b2a0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	135b576f722ba278b107ce64b8d5b2a0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	135b576f722ba278b107ce64b8d5b2a0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

135b576f722ba278b107ce64b8d5b2a0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	135b576f722ba278b107ce64b8d5b2a0.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

135b576f722ba278b107ce64b8d5b2a0.exe

description	ioc	process
File opened (read-only)	\??\P:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\Q:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\R:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\S:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\A:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\I:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\J:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\N:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\V:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\X:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\G:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\K:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\L:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\W:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\Z:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\H:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\O:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\T:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\U:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\B:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\E:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\M:	135b576f722ba278b107ce64b8d5b2a0.exe
File opened (read-only)	\??\Y:	135b576f722ba278b107ce64b8d5b2a0.exe

Drops file in System32 directory 12 IoCs

Processes:

135b576f722ba278b107ce64b8d5b2a0.exe

description	ioc	process
File created	C:\Windows\System32\LogFiles\Fax\Incoming\danish beastiality horse big wifey (Sonja,Janette).rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\brasilian gang bang beast catfight feet (Christine,Tatjana).mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\SysWOW64\FxsTmp\tyrkish nude blowjob big .zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\beastiality gay public redhair .zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\SysWOW64\IME\SHARED\swedish fetish gay hot (!) cock ¼ë (Curtney).mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\xxx public shower .mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\indian gang bang bukkake voyeur YEâPSè& .zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\System32\DriverStore\Temp\italian kicking hardcore hidden feet castration .mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\SysWOW64\FxsTmp\canadian beast voyeur girly .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\SysWOW64\IME\SHARED\italian beastiality blowjob uncut YEâPSè& .mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\american animal fucking [bangbus] (Sarah).mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\indian cumshot horse big girly .rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe

Drops file in Program Files directory 17 IoCs

Processes:

135b576f722ba278b107ce64b8d5b2a0.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\japanese nude sperm licking circumcision .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files\Microsoft Office\root\Templates\trambling sleeping .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\russian kicking sperm public .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\tyrkish animal sperm several models (Curtney).avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files (x86)\Google\Update\Download\american gang bang hardcore [milf] titts femdom .mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files\Common Files\microsoft shared\italian horse fucking licking glans balls .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\danish fetish hardcore licking balls .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\french lingerie full movie feet Ôï (Jade).zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\swedish cum lingerie hidden fishy (Sandy,Janette).mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\italian nude horse girls swallow .zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\american horse lingerie catfight cock YEâPSè& (Jade).rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files (x86)\Google\Temp\fetish trambling [milf] hole pregnant .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\bukkake [free] cock pregnant (Janette).zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\sperm [milf] (Sylvia).mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\lingerie hidden (Janette).mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\swedish kicking gay catfight (Samantha).mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\swedish beastiality horse hot (!) .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe

Drops file in Windows directory 64 IoCs

Processes:

135b576f722ba278b107ce64b8d5b2a0.exe

description	ioc	process
File created	C:\Windows\assembly\tmp\russian horse gay voyeur balls .rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\InputMethod\SHARED\black animal beast big (Liz).rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\lingerie [free] feet .mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\american animal fucking [bangbus] hotel .rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\french sperm [free] feet YEâPSè& .zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\Downloaded Program Files\fucking [free] .zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\trambling hot (!) gorgeoushorny .mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\kicking xxx sleeping feet .mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\horse masturbation feet Ôï .rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\black nude bukkake several models mature .zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\xxx hot (!) cock traffic .zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\chinese hardcore full movie ash .mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\african bukkake masturbation .zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\african hardcore big traffic .mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\chinese sperm [free] titts .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\cumshot blowjob uncut feet traffic .rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\french xxx licking beautyfull (Britney,Sarah).zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\german horse full movie .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\CbsTemp\indian horse xxx big fishy (Christine,Janette).mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\indian nude fucking [bangbus] castration (Kathrin,Karin).zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\indian horse fucking uncut (Sarah).mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\norwegian sperm hot (!) .rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\handjob blowjob catfight blondie .mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\SoftwareDistribution\Download\swedish handjob gay girls 50+ .rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\asian bukkake several models feet sm (Melissa).zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\xxx public hole 50+ .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\kicking horse uncut feet .zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\russian kicking trambling sleeping .mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\PLA\Templates\xxx catfight feet .mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\animal beast [free] (Jade).avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\danish kicking xxx several models fishy .mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\brasilian animal fucking voyeur hole .mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\lesbian [free] bondage .zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\malaysia sperm sleeping beautyfull .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\assembly\temp\swedish cumshot horse [free] .mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\indian kicking gay masturbation feet hotel (Samantha).mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\japanese nude xxx public (Jade).mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\lesbian hidden .rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\trambling hidden hole .rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\asian lingerie uncut titts (Anniston,Samantha).rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\sperm several models .mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\tyrkish action lingerie several models .mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\horse several models black hairunshaved .mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\cumshot blowjob hidden feet 40+ (Melissa).rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\nude bukkake [milf] hole traffic (Curtney).mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\swedish cum gay masturbation cock 40+ .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\beastiality horse licking hole granny .zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\african bukkake public shower .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\malaysia sperm masturbation hole gorgeoushorny (Sylvia).mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\french bukkake hot (!) fishy .zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\french hardcore uncut titts hotel (Samantha).avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\asian beast full movie (Samantha).avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\handjob trambling uncut YEâPSè& .mpeg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\chinese beast uncut (Karin).avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\action bukkake full movie .rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\german gay public glans granny .zip.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\animal lesbian [milf] hole 40+ .rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\horse lesbian hidden titts high heels (Samantha).rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\porn gay sleeping hole .mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\fetish xxx masturbation glans .mpg.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\norwegian trambling voyeur latex .rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\german bukkake licking stockings .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\sperm girls glans Ôï .rar.exe	135b576f722ba278b107ce64b8d5b2a0.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\brasilian action hardcore [bangbus] .avi.exe	135b576f722ba278b107ce64b8d5b2a0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

135b576f722ba278b107ce64b8d5b2a0.exe135b576f722ba278b107ce64b8d5b2a0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	135b576f722ba278b107ce64b8d5b2a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	135b576f722ba278b107ce64b8d5b2a0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

135b576f722ba278b107ce64b8d5b2a0.exe135b576f722ba278b107ce64b8d5b2a0.exe135b576f722ba278b107ce64b8d5b2a0.exe135b576f722ba278b107ce64b8d5b2a0.exe

pid	process
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1688	135b576f722ba278b107ce64b8d5b2a0.exe
1688	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1688	135b576f722ba278b107ce64b8d5b2a0.exe
1688	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1688	135b576f722ba278b107ce64b8d5b2a0.exe
1688	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1688	135b576f722ba278b107ce64b8d5b2a0.exe
1688	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1688	135b576f722ba278b107ce64b8d5b2a0.exe
1688	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe
1688	135b576f722ba278b107ce64b8d5b2a0.exe
1688	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe
1688	135b576f722ba278b107ce64b8d5b2a0.exe
1688	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
3288	135b576f722ba278b107ce64b8d5b2a0.exe
1988	135b576f722ba278b107ce64b8d5b2a0.exe
1012	135b576f722ba278b107ce64b8d5b2a0.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

135b576f722ba278b107ce64b8d5b2a0.exe135b576f722ba278b107ce64b8d5b2a0.exe

description	pid	process	target process
PID 1988 wrote to memory of 3288	1988	135b576f722ba278b107ce64b8d5b2a0.exe	135b576f722ba278b107ce64b8d5b2a0.exe
PID 1988 wrote to memory of 3288	1988	135b576f722ba278b107ce64b8d5b2a0.exe	135b576f722ba278b107ce64b8d5b2a0.exe
PID 1988 wrote to memory of 3288	1988	135b576f722ba278b107ce64b8d5b2a0.exe	135b576f722ba278b107ce64b8d5b2a0.exe
PID 1988 wrote to memory of 1012	1988	135b576f722ba278b107ce64b8d5b2a0.exe	135b576f722ba278b107ce64b8d5b2a0.exe
PID 1988 wrote to memory of 1012	1988	135b576f722ba278b107ce64b8d5b2a0.exe	135b576f722ba278b107ce64b8d5b2a0.exe
PID 1988 wrote to memory of 1012	1988	135b576f722ba278b107ce64b8d5b2a0.exe	135b576f722ba278b107ce64b8d5b2a0.exe
PID 3288 wrote to memory of 1688	3288	135b576f722ba278b107ce64b8d5b2a0.exe	135b576f722ba278b107ce64b8d5b2a0.exe
PID 3288 wrote to memory of 1688	3288	135b576f722ba278b107ce64b8d5b2a0.exe	135b576f722ba278b107ce64b8d5b2a0.exe
PID 3288 wrote to memory of 1688	3288	135b576f722ba278b107ce64b8d5b2a0.exe	135b576f722ba278b107ce64b8d5b2a0.exe

C:\Users\Admin\AppData\Local\Temp\135b576f722ba278b107ce64b8d5b2a0.exe
"C:\Users\Admin\AppData\Local\Temp\135b576f722ba278b107ce64b8d5b2a0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\135b576f722ba278b107ce64b8d5b2a0.exe
"C:\Users\Admin\AppData\Local\Temp\135b576f722ba278b107ce64b8d5b2a0.exe"
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3288

C:\Users\Admin\AppData\Local\Temp\135b576f722ba278b107ce64b8d5b2a0.exe
"C:\Users\Admin\AppData\Local\Temp\135b576f722ba278b107ce64b8d5b2a0.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Users\Admin\AppData\Local\Temp\135b576f722ba278b107ce64b8d5b2a0.exe
"C:\Users\Admin\AppData\Local\Temp\135b576f722ba278b107ce64b8d5b2a0.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\swedish cum lingerie hidden fishy (Sandy,Janette).mpeg.exe

Filesize
1.1MB

MD5
71080dece05443fb49ad81052e03d78c

SHA1
5bb8fbcf0c94cd949bc1d3a1fc44e3fa08e7e348

SHA256
1a35f9de862df07f2cb02f1a7b233db7182a51108b99722d06274bff095ac3b0

SHA512
1eab7125e5b3b6c47e1f95b2878b391f11af70bbcc50e77559376d481e22f37739705c054570e49145aed376e8167efa2594959f01f8a9ea38d183ebd4e4e32a

Download Submit
memory/1988-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads