98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
Size

964KB
MD5

130be2482040029ad9380ca58adff1a0
SHA1

36704f0fb8410e6be0490074827c381d8da6a0d2
SHA256

98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1
SHA512

17916f02e417da9bb38bd0d9bd4ea42b33f81d2b62ff83efee9e3610dc201f41733ccc9bb40604ed1be89d627ae6938a39e82b20c08262a06cf11be46618a338
SSDEEP

24576:2Wzp84e3t2q5cYx+chjARGn5RJo1Edz72hciJJl:zzA3t2qWA+cPn7Jo1oHSLl

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\G:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\L:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\M:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\N:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\T:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\Z:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\A:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\B:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\I:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\J:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\K:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\V:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\E:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\H:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\S:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\W:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\O:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\P:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\Q:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\R:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\U:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\X:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File opened (read-only)	\??\Y:	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\LogFiles\Fax\Incoming\tyrkish animal horse hot (!) femdom .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\horse [milf] young (Anniston,Melissa).zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\danish beastiality fucking voyeur hole .avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\SysWOW64\IME\SHARED\italian horse fucking [milf] blondie .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\SysWOW64\config\systemprofile\indian cumshot horse sleeping .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\SysWOW64\FxsTmp\hardcore sleeping (Tatjana).mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\SysWOW64\IME\SHARED\tyrkish action horse full movie ejaculation .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\russian fetish bukkake [free] latex .avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\SysWOW64\config\systemprofile\indian animal blowjob masturbation glans .avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\System32\DriverStore\Temp\tyrkish nude blowjob masturbation shower .avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\SysWOW64\FxsTmp\horse big latex (Gina,Janette).mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\russian kicking bukkake masturbation (Liz).rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Download\swedish animal fucking licking hotel .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\bukkake [free] fishy (Jenna,Samantha).zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\indian porn gay sleeping hole .avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\american handjob fucking public cock leather .avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\black porn trambling girls glans .mpeg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\horse girls cock .mpeg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files (x86)\Google\Temp\brasilian kicking blowjob uncut glans .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files\Microsoft Office\root\Templates\danish nude gay sleeping cock 40+ (Liz).zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\hardcore public hole traffic (Karin).avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\black handjob beast hidden hole shoes (Janette).zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files (x86)\Microsoft\Temp\swedish beastiality lesbian uncut hole young (Karin).zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\blowjob hidden feet .avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files\Common Files\microsoft shared\bukkake hidden glans leather .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\danish beastiality hardcore public femdom (Ashley,Tatjana).mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\british beast girls titts traffic .rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\beast uncut cock .mpeg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\danish nude fucking uncut high heels (Britney,Janette).mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\indian cumshot gay [bangbus] lady .mpeg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\cum fucking masturbation cock .mpeg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\horse sperm hot (!) cock black hairunshaved .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\cum sperm lesbian glans Ôï .rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\action trambling hidden hole .mpeg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\blowjob lesbian bedroom (Christine,Sylvia).zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\chinese gay masturbation (Sarah).rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca03036af4a5017e\lingerie licking hairy .rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_b201c2e68d8dbc0d\brasilian handjob horse big YEâPSè& .mpeg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\italian cumshot fucking masturbation girly .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\cumshot lesbian uncut bondage .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\russian handjob blowjob masturbation .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\russian gang bang gay [free] mistress .avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\animal blowjob girls redhair .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\british sperm licking hole traffic (Samantha).rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\xxx licking feet .rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\horse lingerie girls titts redhair .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\british xxx girls hole hotel .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\fucking masturbation feet leather (Jade).avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\african blowjob public .mpeg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\brasilian horse fucking girls glans .mpeg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\black cum xxx girls ash .mpeg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\swedish kicking sperm big circumcision .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\gay full movie feet .avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.746_none_292c449ed2edefa3\tyrkish horse fucking voyeur .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\american fetish lesbian public fishy .rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\Temp\cumshot xxx catfight titts .avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\french lingerie hot (!) .rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\kicking sperm big .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\sperm [free] feet .rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\french xxx masturbation cock .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\black nude blowjob voyeur hotel (Britney,Karin).mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\SoftwareDistribution\Download\indian animal bukkake catfight blondie .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\gang bang blowjob masturbation (Sylvia).zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\italian fetish lingerie several models girly .rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\indian kicking xxx [free] fishy .rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\cumshot sperm catfight glans .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\horse masturbation feet mistress .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\tyrkish kicking bukkake [free] .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\chinese lesbian hot (!) .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\tyrkish beastiality horse lesbian wifey .avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\gang bang hardcore lesbian .rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\lingerie voyeur beautyfull (Sandy,Sylvia).rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\british blowjob voyeur (Karin).mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.746_none_822bf1ada1526fa8\spanish blowjob public (Janette).rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\asian lingerie licking bondage (Gina,Jade).avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\italian horse bukkake several models young .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\african lesbian masturbation bedroom .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\russian kicking gay [bangbus] .mpeg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\malaysia blowjob public hotel .rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\french sperm masturbation hole shoes (Curtney).avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\cum horse big cock sweet .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\horse full movie granny .avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\black horse hardcore voyeur circumcision (Kathrin,Samantha).mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\chinese beast hidden glans (Jenna,Sylvia).avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\tyrkish cum lingerie hidden (Janette).zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\danish cum trambling full movie fishy .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\CbsTemp\sperm public .zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\beastiality blowjob licking .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\french horse full movie feet leather .rar.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\cumshot gay [milf] cock bondage (Jade).zip.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\italian cumshot bukkake masturbation feet 40+ .mpeg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\norwegian sperm several models mistress .mpg.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\brasilian gang bang gay [free] glans .avi.exe	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
2744	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
2744	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
2744	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
2744	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
2744	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
2744	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
2744	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
2744	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
2744	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
2744	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
2744	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
2744	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
2744	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
2744	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
1672	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1520	5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe	81
PID 5052 wrote to memory of 1520	5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe	81
PID 5052 wrote to memory of 1520	5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe	81
PID 5052 wrote to memory of 1672	5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe	82
PID 5052 wrote to memory of 1672	5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe	82
PID 5052 wrote to memory of 1672	5052	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe	82
PID 1520 wrote to memory of 2744	1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe	83
PID 1520 wrote to memory of 2744	1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe	83
PID 1520 wrote to memory of 2744	1520	98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe	83

C:\Users\Admin\AppData\Local\Temp\98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
"C:\Users\Admin\AppData\Local\Temp\98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
  "C:\Users\Admin\AppData\Local\Temp\98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
    "C:\Users\Admin\AppData\Local\Temp\98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2744
- C:\Users\Admin\AppData\Local\Temp\98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe
  "C:\Users\Admin\AppData\Local\Temp\98e5430ec86072c7ace471baf4cb55df344b1268ab9c6ed7dd36651ff407dfa1.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads