a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
Size

404KB
MD5

839c1e421864a090c847647efe36c820
SHA1

8b65f5f322e96ce2a9b05edf151bebe901761320
SHA256

a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d
SHA512

86b22a1ec45d9f96855f296417e655f3686843114868b1882106e94cd055937fff0948c8f1ce236e08792b45550542a690369ae3eb8f002e110823cff522933a
SSDEEP

6144:zXC4vgmhbIxs3NBBuXTcYHERV2Qnqj3Zw3jzUaSErCn04VT0o7ObkVqE2JiFjrhl:zXCNi9BokRV2Q0p+4ajrCn0aOYbZhl

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\O:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\S:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\W:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\X:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\Y:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\H:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\K:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\L:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\U:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\V:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\Z:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\A:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\B:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\E:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\G:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\I:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\M:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\N:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\Q:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\T:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\J:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\P:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File opened (read-only)	\??\R:	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\lesbian [bangbus] .zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\brasilian porn hardcore sleeping cock .rar.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish gang bang blowjob masturbation (Sarah).avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\SysWOW64\FxsTmp\brasilian horse xxx masturbation cock boots .mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\SysWOW64\IME\shared\tyrkish handjob lesbian catfight gorgeoushorny .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\System32\DriverStore\Temp\blowjob several models traffic (Gina,Karin).zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\SysWOW64\FxsTmp\animal gay public cock girly (Sarah).avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\SysWOW64\IME\shared\danish kicking gay lesbian feet leather .mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\black animal fucking catfight 50+ .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian gang bang xxx hot (!) leather (Sandy,Tatjana).rar.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\japanese porn hardcore hidden upskirt .zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Program Files\Common Files\Microsoft Shared\black kicking xxx full movie feet (Sonja,Sarah).zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Program Files\Windows Journal\Templates\american nude gay [free] .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\italian beastiality bukkake catfight traffic .rar.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Program Files (x86)\Google\Update\Download\bukkake lesbian mature .mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\indian action lingerie [milf] black hairunshaved .rar.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\tyrkish nude blowjob hidden granny .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\italian cum lesbian full movie girly .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\american gang bang blowjob voyeur feet .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Program Files\DVD Maker\Shared\tyrkish horse lingerie licking glans boots .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Program Files (x86)\Google\Temp\tyrkish handjob trambling sleeping .zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\danish cumshot sperm several models .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\indian cumshot gay masturbation (Sarah).avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\indian handjob fucking girls .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\italian horse blowjob masturbation high heels .zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\fucking voyeur high heels .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\african xxx voyeur .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\cumshot xxx catfight feet .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\cumshot gay [milf] .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\InstallTemp\german beast lesbian penetration .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\spanish trambling girls shower .mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\german hardcore [bangbus] glans .rar.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\trambling licking feet .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\horse uncut .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\tyrkish handjob xxx full movie cock ejaculation .zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\beastiality gay hidden (Tatjana).mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\brasilian cumshot lingerie full movie hole (Gina,Curtney).avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\asian lesbian hot (!) girly .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\animal lesbian hidden ash .zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\malaysia lingerie [free] swallow .mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\danish cumshot lesbian masturbation cock .rar.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\tyrkish animal horse [milf] cock (Christine,Samantha).mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\german fucking catfight 50+ .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\japanese kicking gay public upskirt .zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\security\templates\american fetish trambling lesbian sweet (Anniston,Curtney).mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\american cumshot sperm hot (!) hole granny (Tatjana).rar.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\horse sperm uncut titts (Ashley,Tatjana).rar.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\danish cumshot sperm voyeur feet (Sandy,Liz).mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\Downloaded Program Files\russian kicking fucking girls titts girly (Melissa).mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\danish beastiality sperm [bangbus] cock mature (Samantha).avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\malaysia xxx big (Sarah).mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\handjob beast public hole girly .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\german horse full movie granny .mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\danish gang bang lesbian [milf] gorgeoushorny (Sonja,Tatjana).avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\fucking voyeur cock black hairunshaved .zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\PLA\Templates\japanese handjob fucking public beautyfull .zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\swedish animal gay sleeping .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\horse lingerie lesbian glans .rar.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\black cumshot bukkake sleeping girly (Sonja,Sarah).mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\norwegian fucking several models lady .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\lesbian several models ìï .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\lingerie [bangbus] cock upskirt (Curtney).avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\assembly\tmp\brasilian cumshot blowjob girls upskirt .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\blowjob licking bondage .rar.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\handjob horse public wifey (Kathrin,Janette).mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\cum horse licking 50+ .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\tyrkish nude blowjob [milf] .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\sperm public glans hotel (Liz).mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\hardcore hidden (Karin).zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\american cum lesbian voyeur young .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\kicking lingerie catfight titts YEâPSè& .zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\african bukkake [free] mistress (Britney,Liz).mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\mssrv.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\italian handjob hardcore sleeping .mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\hardcore [free] sm .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\cumshot lesbian voyeur cock sm (Janette).zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\african horse [bangbus] cock wifey (Samantha).mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\asian lingerie public hole .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\lingerie catfight cock sm .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\malaysia lesbian [free] castration .rar.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\fucking sleeping 50+ .rar.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\SoftwareDistribution\Download\brasilian animal sperm big cock .mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\malaysia bukkake [milf] ejaculation .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\bukkake public stockings .mpeg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\asian lesbian sleeping glans leather (Sylvia).zip.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\fetish blowjob [free] cock latex .rar.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\lingerie masturbation glans lady .rar.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\bukkake [free] balls .avi.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\american handjob lesbian [milf] hole .mpg.exe	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
1240	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1520	1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe	27
PID 1388 wrote to memory of 1520	1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe	27
PID 1388 wrote to memory of 1520	1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe	27
PID 1388 wrote to memory of 1520	1388	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe	27
PID 1520 wrote to memory of 1240	1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe	28
PID 1520 wrote to memory of 1240	1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe	28
PID 1520 wrote to memory of 1240	1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe	28
PID 1520 wrote to memory of 1240	1520	a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe	28

C:\Users\Admin\AppData\Local\Temp\a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
"C:\Users\Admin\AppData\Local\Temp\a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
  "C:\Users\Admin\AppData\Local\Temp\a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe
    "C:\Users\Admin\AppData\Local\Temp\a37a5258408b2bcd28a5fccb62939d1d5aeb841b0d67bfd1880cfe17666cb35d.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1240