8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a

General

Target

8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
Size

312KB
MD5

1bea324a9a2eb2eca27c862b39b6ab10
SHA1

0842f791a841575aa8691d9cc9960afa6a799355
SHA256

8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a
SHA512

5e2b7b23fbf81ab4245f9f6c04615f42b30dfe08788e38b41feee9007b2c3e6609cb140321be436a8c5e435d47e4ff56139fb907910cebd5e588fbdf560ba380
SSDEEP

6144:zXC4vgmhbIxs3NBBzIYZXzmdkJL2XVaYe23KXd+6S4xczc1YL096J0O8IrCWGd8B:zXCNi9B/ZXzgkJSXIx2H6Xgc1YLxbWWb

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe

description	ioc	process
File opened (read-only)	\??\P:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\U:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\N:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\L:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\Q:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\V:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\W:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\E:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\G:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\K:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\R:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\S:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\X:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\Z:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\B:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\F:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\H:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\I:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\J:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\M:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\O:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\T:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\A:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File opened (read-only)	\??\Y:	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe

Drops file in System32 directory 10 IoCs

Processes:

8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe

description	ioc	process
File created	C:\Windows\System32\LogFiles\Fax\Incoming\sperm full movie feet mistress .rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish porn fucking full movie hole (Kathrin,Samantha).rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\SysWOW64\FxsTmp\swedish kicking lesbian [bangbus] (Janette).mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\SysWOW64\IME\shared\xxx licking cock shoes .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\SysWOW64\config\systemprofile\japanese action blowjob [milf] titts (Britney,Curtney).rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\danish porn xxx public titts upskirt (Sarah).zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\SysWOW64\FxsTmp\american kicking sperm [bangbus] pregnant .rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\System32\DriverStore\Temp\tyrkish action fucking full movie young .mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\SysWOW64\IME\shared\swedish horse lesbian sleeping 50+ .zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\SysWOW64\config\systemprofile\indian cum gay lesbian titts femdom .avi.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe

Drops file in Program Files directory 15 IoCs

Processes:

8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\indian action bukkake masturbation young .rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Program Files\DVD Maker\Shared\tyrkish porn beast sleeping titts .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\sperm catfight titts fishy .mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\indian kicking beast girls .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\horse [free] titts (Christine,Melissa).zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Program Files (x86)\Google\Update\Download\trambling full movie hole .avi.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\swedish cumshot beast girls glans tÛ (Tatjana).rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\cumshot blowjob licking cock wifey .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\swedish nude xxx uncut hole shoes (Tatjana).mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\black nude sperm several models feet .zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\blowjob girls feet blondie (Samantha).zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\indian fetish blowjob full movie boots .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Program Files (x86)\Google\Temp\horse uncut bondage .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\danish cumshot horse sleeping hotel .rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Program Files\Windows Journal\Templates\gay [bangbus] hairy .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe

Drops file in Windows directory 64 IoCs

Processes:

8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe

description	ioc	process
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\fetish fucking licking (Liz).avi.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\japanese nude lesbian hidden .mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\brasilian cumshot sperm big latex .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\chinese horse licking hole (Gina,Tatjana).mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\spanish lesbian hidden bedroom .zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\italian horse bukkake [free] ejaculation .zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\chinese lingerie girls .zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\brasilian nude fucking uncut boots .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\french hardcore licking fishy (Christine,Sylvia).rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\horse [free] cock sweet .zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\PLA\Templates\blowjob voyeur titts .zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\tyrkish handjob hardcore full movie traffic (Gina,Curtney).mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\tyrkish nude xxx hidden cock penetration .mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\danish animal beast masturbation mature .zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\beast full movie hole beautyfull (Samantha).zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\InstallTemp\bukkake masturbation (Karin).mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\tyrkish cumshot fucking voyeur cock young (Sylvia).mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\kicking bukkake sleeping boots (Ashley,Sarah).avi.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\french trambling [free] cock wifey .mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\bukkake licking leather .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\tyrkish handjob beast hidden 40+ .zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\xxx [bangbus] cock mature .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\assembly\tmp\lingerie masturbation cock .zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\italian cumshot fucking public glans (Sandy,Samantha).mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\british beast [free] (Curtney).zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\handjob lingerie uncut stockings .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\beastiality fucking uncut feet boots .zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\russian cum xxx [free] glans .mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\black cum bukkake masturbation (Karin).zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\kicking horse [milf] blondie .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\horse bukkake licking cock .avi.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\lesbian public hole .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\danish cumshot hardcore catfight hotel .rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\Downloaded Program Files\japanese cumshot trambling [milf] swallow .avi.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\italian beastiality bukkake big titts stockings .mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\black kicking beast several models ejaculation .avi.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\porn beast full movie pregnant .zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\action bukkake [free] upskirt .avi.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\tyrkish porn fucking full movie feet high heels .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\security\templates\lingerie uncut YEâPSè& .rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\fucking [milf] (Sarah).avi.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\SoftwareDistribution\Download\danish porn beast hidden .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\tyrkish horse trambling masturbation hole beautyfull .rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\british horse girls latex .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\black kicking horse [milf] titts shoes (Liz).zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\horse [free] cock girly .mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\indian gang bang hardcore masturbation sm .rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\lesbian voyeur glans .avi.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\beast catfight titts .zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\french beast uncut balls (Kathrin,Jade).mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\cumshot sperm masturbation mistress (Sandy,Samantha).rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\mssrv.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\sperm public feet (Ashley,Karin).mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\nude trambling [free] .rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\hardcore big upskirt (Anniston,Liz).mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\action xxx [bangbus] cock redhair .mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\indian handjob hardcore hot (!) traffic (Sonja,Jade).zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\beast girls pregnant .zip.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\cum fucking voyeur cock .mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\beastiality lingerie hot (!) hole black hairunshaved .mpg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\porn hardcore hidden (Karin).mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\japanese kicking lesbian voyeur cock boots .rar.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\asian lesbian hot (!) (Tatjana).mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\indian animal sperm big lady .mpeg.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe

pid	process
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
1964	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe

description	pid	process	target process
PID 2016 wrote to memory of 2020	2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
PID 2016 wrote to memory of 2020	2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
PID 2016 wrote to memory of 2020	2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
PID 2016 wrote to memory of 2020	2016	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
PID 2020 wrote to memory of 1964	2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
PID 2020 wrote to memory of 1964	2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
PID 2020 wrote to memory of 1964	2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
PID 2020 wrote to memory of 1964	2020	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe	8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe

C:\Users\Admin\AppData\Local\Temp\8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
"C:\Users\Admin\AppData\Local\Temp\8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
"C:\Users\Admin\AppData\Local\Temp\8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe
"C:\Users\Admin\AppData\Local\Temp\8620597b967a989699c96d798291ab64028a6677265e33ffd1f1a9b958550d2a.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1964

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1964-57-0x0000000000000000-mapping.dmp

Download
memory/2016-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2020-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads