26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 19:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
Size

1.2MB
MD5

9be08a1430b62404abfa851c343c854a
SHA1

8189c18f5ac19c4c2f9b85625615ff2a9f7427df
SHA256

26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0
SHA512

857166c525df1c9916e55bf242720f15d5ee002155167f0e7d6129d8ec9f0281c21afcadfbc978a77833b9980a95f5fb4d80d827b0e7c09d95cf36c95617a1d5
SSDEEP

24576:2wo2G6ps+Xviy0gzLyir4lqtWiRLzHRPINWf8ki+X7iMHSeHn3:ho36jIgt4lChhzHRPwWDlX7iMHSeH3

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\G:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\P:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\R:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\S:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\Y:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\V:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\W:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\A:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\H:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\I:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\N:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\O:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\Q:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\U:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\X:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\B:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\E:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\J:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\K:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\M:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\L:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File opened (read-only)	\??\T:	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\indian beastiality horse hidden .rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\SysWOW64\IME\SHARED\russian porn lingerie uncut cock sweet .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\SysWOW64\FxsTmp\beast hot (!) feet .rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\hardcore big feet mistress .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\japanese handjob fucking sleeping girly .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\SysWOW64\IME\SHARED\fucking uncut YEâPSè& .mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\american cumshot lingerie lesbian young .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\hardcore [milf] cock swallow (Samantha).mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\SysWOW64\FxsTmp\spanish hardcore voyeur pregnant .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\swedish handjob bukkake licking YEâPSè& .rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\trambling [bangbus] cock sm (Samantha).rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american cum lingerie licking latex (Kathrin,Sarah).rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\hardcore licking cock femdom .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\american beastiality xxx sleeping cock .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files\Common Files\microsoft shared\danish horse lesbian big .rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files\dotnet\shared\american cum hardcore [milf] feet .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files\Microsoft Office\root\Templates\american cum lesbian licking .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian gang bang fucking big .avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\fucking [bangbus] .avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\lingerie hot (!) glans .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files (x86)\Google\Temp\blowjob uncut cock bedroom .avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files (x86)\Microsoft\Temp\bukkake hidden .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\japanese handjob bukkake hidden cock gorgeoushorny .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files (x86)\Google\Update\Download\japanese beastiality lingerie full movie sweet .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\russian beastiality lesbian catfight hole swallow .mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\tyrkish horse gay masturbation cock .mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\hardcore catfight granny .rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\italian nude lesbian lesbian hotel .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\fucking sleeping circumcision .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\lingerie uncut latex .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\italian beastiality lesbian sleeping lady .rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\asian blowjob hidden hole 40+ .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\asian lesbian public titts (Jenna,Sylvia).mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\gang bang horse [free] mature .rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\brasilian porn trambling [free] Ôï .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\spanish trambling lesbian .mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\indian animal gay full movie young (Kathrin,Samantha).avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\trambling several models shoes .avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\chinese sperm full movie girly (Christine,Sarah).zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\indian fetish lingerie hot (!) (Samantha).rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\malaysia sperm public shower .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\danish handjob horse full movie titts gorgeoushorny (Sylvia).zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\nude gay licking feet .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\american action xxx [bangbus] cock sweet .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\xxx hot (!) (Melissa).avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\canadian xxx [milf] titts bedroom (Curtney).mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\british sperm catfight glans lady (Tatjana).avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\malaysia fucking sleeping .avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\canadian bukkake girls ash .rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\indian porn hardcore licking (Samantha).avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\swedish action trambling [bangbus] .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\japanese porn sperm uncut .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\malaysia blowjob girls (Sylvia).avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\porn bukkake uncut pregnant (Gina,Liz).avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\swedish animal beast hot (!) cock hairy (Sarah).mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.746_none_292c449ed2edefa3\bukkake public penetration .rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\indian nude lingerie girls young .mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\gang bang beast hidden feet hairy .avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\lesbian [milf] girly .mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\russian animal horse lesbian sweet .rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\malaysia beast masturbation (Curtney).mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\malaysia blowjob lesbian gorgeoushorny (Christine,Janette).mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\spanish beast girls .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\action xxx girls glans (Ashley,Jade).rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\kicking lesbian several models bedroom .avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\french bukkake sleeping penetration .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\russian cum fucking hot (!) .mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\japanese beastiality gay hidden .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\xxx girls feet black hairunshaved .rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\italian gang bang gay [bangbus] beautyfull .mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\russian handjob gay several models feet mistress (Liz).mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\beast full movie (Melissa).rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\porn bukkake full movie glans girly (Sylvia).mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\norwegian fucking full movie titts .mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\nude beast big girly .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\norwegian fucking full movie granny .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\swedish horse fucking big penetration .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\cumshot gay big mistress .mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\russian action hardcore several models titts stockings (Sarah).mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\lesbian catfight latex .avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\bukkake catfight high heels .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\gang bang beast public (Melissa).avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\handjob lingerie public bedroom .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\american animal horse licking feet .rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\porn beast several models .mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\horse horse [free] gorgeoushorny (Sonja,Jade).avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\spanish bukkake [bangbus] .mpeg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\fucking big bondage .mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\porn trambling girls (Karin).mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\malaysia blowjob voyeur shoes .zip.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\fetish gay several models hole .mpg.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\norwegian bukkake uncut shoes .rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\PLA\Templates\beast [bangbus] (Samantha).rar.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\chinese sperm girls traffic .avi.exe	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
4632	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
4632	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
4632	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
4632	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
4632	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
4632	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
4632	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
4632	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
4632	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
4632	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
4632	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
4632	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
4632	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
4632	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
532	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 3444	2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe	87
PID 2400 wrote to memory of 3444	2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe	87
PID 2400 wrote to memory of 3444	2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe	87
PID 2400 wrote to memory of 532	2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe	90
PID 2400 wrote to memory of 532	2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe	90
PID 2400 wrote to memory of 532	2400	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe	90
PID 3444 wrote to memory of 4632	3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe	91
PID 3444 wrote to memory of 4632	3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe	91
PID 3444 wrote to memory of 4632	3444	26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe	91

C:\Users\Admin\AppData\Local\Temp\26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
"C:\Users\Admin\AppData\Local\Temp\26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\AppData\Local\Temp\26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
  "C:\Users\Admin\AppData\Local\Temp\26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
    "C:\Users\Admin\AppData\Local\Temp\26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4632
- C:\Users\Admin\AppData\Local\Temp\26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe
  "C:\Users\Admin\AppData\Local\Temp\26644db4924025f1aed8bac646d46249f4bac4302e6db4852976a5a64afd88e0.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian gang bang fucking big .avi.exe

Filesize
705KB

MD5
3f53b184b8c1dcf0bf7f8e58ba625ed6

SHA1
c2da7c00e565257edbbc29be702dd59d165de8b8

SHA256
1454dda200622a517a6242837fa9f9f668b6ebc6502e2f19bdd505499ab1197b

SHA512
f4fcf69e8e65c8774c48d76ee6cea983482069d019f3918c04385ac5a1323330e4fd2c531923ef16f426269b8d01d4f6b69527ee764d7b8fcbac769cfbb10b35

Download Submit
C:\debug.txt

Filesize
146B

MD5
19064840b1e410634a86f9ab1cbee177

SHA1
3dad1b3b46fd218e960d74d6664be4bd4bf99b15

SHA256
c4a6350156f0095e24d134e41bcbe817cbb9b09789ddc2f5f7c1ed3cedf7f5b0

SHA512
5dcd7a6337b197710e3457ba52ad5a35f7ffefd70c5f1e058010401349e97d68c7a641cb19c64a70535669aec8e204af1b4e4243e2aacbab3ff89078ee2c26c0

Download Submit