98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2022, 20:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
Size

856KB
MD5

2ada1261a00752e2f9cc9d866b8be738
SHA1

2b0e9c8ac109e10a7dbdfc0a7153e3faa29da7cf
SHA256

98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38
SHA512

869596be469f57728f882cec261a1120eea83592c9ed5c5a1e26ad8689331d25969ad87c4dc7dfd4d722057280b8f91c9de0c70e0164e85515e214bc0cc2aa7e
SSDEEP

24576:A8cPH6I336DEcYrRvYlbf0BSXR//olL8YepF6zD1ehg:ArfHPcY9vnSB/c4YepSD1l

Score

8^/10

persistence spyware stealer upx

Malware Config

Signatures

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4368-132-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2892-134-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2160-138-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2328-137-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4368-139-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\Z:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\F:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\G:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\K:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\P:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\T:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\M:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\Y:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\E:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\H:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\I:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\J:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\L:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\B:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\O:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\Q:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\W:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\X:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\A:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\N:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\R:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\S:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File opened (read-only)	\??\U:	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\tyrkish fetish xxx hot (!) .zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\SysWOW64\IME\SHARED\gang bang hardcore masturbation .avi.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\italian cumshot xxx [milf] high heels .zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish animal lesbian [bangbus] glans black hairunshaved .rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\SysWOW64\IME\SHARED\sperm public (Liz).zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\sperm voyeur .rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\SysWOW64\config\systemprofile\sperm girls glans (Christine,Jade).mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\SysWOW64\FxsTmp\canadian beast several models hole YEâPSè& .rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\hardcore sleeping .zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\black action hardcore lesbian hole girly (Janette).avi.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\SysWOW64\FxsTmp\bukkake hot (!) (Karin).mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\trambling [bangbus] hole wifey .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lesbian [bangbus] .rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files\Common Files\microsoft shared\tyrkish cum bukkake licking high heels .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\swedish gang bang fucking sleeping .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\beast [bangbus] 40+ .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\russian porn bukkake lesbian (Sarah).mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files (x86)\Google\Temp\american gang bang trambling voyeur .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files (x86)\Microsoft\Temp\blowjob full movie cock gorgeoushorny (Janette).rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\russian horse sperm lesbian latex .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\american cum trambling several models .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\american cumshot bukkake several models glans .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\swedish gang bang horse several models .rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files (x86)\Google\Update\Download\japanese gang bang sperm licking feet .rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\sperm hot (!) titts redhair .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files\Microsoft Office\root\Templates\tyrkish kicking beast girls titts .avi.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\horse uncut circumcision .avi.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\hardcore big gorgeoushorny .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\japanese gang bang blowjob several models titts mature .avi.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\gay masturbation latex .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\security\templates\italian cum bukkake full movie glans hairy .zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\swedish handjob xxx hot (!) cock .rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\malaysia beast catfight penetration .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\kicking bukkake catfight titts .rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\hardcore hidden titts boots .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\german horse masturbation 40+ (Jenna,Sarah).mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\blowjob [free] feet beautyfull .zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\norwegian beast uncut cock .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\black fetish lesbian [free] .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\beast big hole beautyfull (Melissa).rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\spanish xxx catfight glans traffic (Melissa).mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\french lingerie lesbian sm (Sonja,Curtney).zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_en-us_8dd6053a0a5910eb\spanish lingerie public feet high heels .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\african bukkake lesbian .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\cum bukkake catfight titts Ôï .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\black porn trambling girls leather .zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\fucking uncut glans .avi.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\danish nude xxx catfight glans girly .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\gang bang sperm voyeur leather .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\horse hot (!) .zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\french trambling public shoes .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\russian horse trambling licking cock penetration .zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\sperm uncut titts .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\brasilian porn sperm licking cock femdom .rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\gang bang trambling uncut titts sweet .avi.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\horse bukkake [free] black hairunshaved .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\african hardcore hidden feet .rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\asian gay girls cock boots .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\canadian hardcore several models feet .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\lingerie [milf] hole .avi.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\black fetish lingerie big titts mature .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\tyrkish gang bang sperm licking titts ash .zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\italian animal lesbian masturbation hole .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\InstallTemp\swedish nude hardcore [milf] boots .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\russian porn gay catfight titts sweet (Samantha).mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\lingerie full movie sweet (Britney,Samantha).rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\CbsTemp\italian horse xxx hot (!) balls .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\norwegian horse public (Karin).avi.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\norwegian fucking lesbian bondage .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\african horse licking stockings .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\Temp\indian gang bang horse [milf] glans mistress (Tatjana).zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\lesbian [free] penetration .avi.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\black animal blowjob lesbian .rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\cumshot sperm [milf] hairy (Gina,Liz).avi.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\african xxx [free] 40+ .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\norwegian blowjob public 50+ .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\german fucking uncut hotel .zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_b201c2e68d8dbc0d\black animal gay uncut blondie .avi.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\spanish bukkake public glans .rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\cum xxx girls titts .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\russian nude trambling full movie hairy .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\italian porn fucking hidden titts .rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\danish horse xxx several models (Samantha).mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\british blowjob girls feet pregnant .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\action lingerie [free] .avi.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\swedish fetish sperm voyeur feet boots .mpg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\bukkake sleeping (Jade).zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\nude sperm [bangbus] femdom .zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\italian nude fucking masturbation feet hairy (Janette).rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\indian fetish gay big feet .mpeg.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\spanish trambling licking titts .avi.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\horse uncut high heels .rar.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\tyrkish action xxx several models glans .zip.exe	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2160	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2160	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2160	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2160	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2160	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2160	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2160	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2160	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2160	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2160	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2160	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2160	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2160	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2160	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
2328	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 2892	4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe	78
PID 4368 wrote to memory of 2892	4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe	78
PID 4368 wrote to memory of 2892	4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe	78
PID 4368 wrote to memory of 2328	4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe	80
PID 4368 wrote to memory of 2328	4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe	80
PID 4368 wrote to memory of 2328	4368	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe	80
PID 2892 wrote to memory of 2160	2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe	81
PID 2892 wrote to memory of 2160	2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe	81
PID 2892 wrote to memory of 2160	2892	98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe	81

C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
"C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
  "C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
    "C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2160
- C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe
  "C:\Users\Admin\AppData\Local\Temp\98638734f8b993c2445cad4a5eca68bc59c4d07c4d622080b7861f2189b32c38.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2160-138-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2328-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2892-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4368-132-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4368-139-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download