ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334

General

Target

ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
Size

1.2MB
MD5

c2353d76b0b8b87b578e8ce1d2ec7a7a
SHA1

3f459642be627f630c7951c09b1490b218fbeffb
SHA256

ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334
SHA512

8c3e21d652e7cc3663d0cffcc12bd5acf75003787d39363bec3fce7e1373de51252e837cc078bfa9c0ebc83a1553e628a36f685c6d8d9aa2d9b7304774102777

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe

description	ioc	process
File opened (read-only)	\??\G:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\J:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\K:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\O:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\P:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\T:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\B:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\U:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\V:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\X:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\Z:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\R:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\I:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\N:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\S:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\W:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\Y:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\A:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\F:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\H:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\L:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\M:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\Q:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File opened (read-only)	\??\E:	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe

Drops file in System32 directory 10 IoCs

Processes:

ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\Temp\beast gang bang big upskirt .mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\SysWOW64\IME\SHARED\animal kicking public ash (Sarah).rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\SysWOW64\FxsTmp\brasilian sperm [bangbus] fishy (Karin,Jenna).mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\SysWOW64\IME\SHARED\spanish action girls fishy (Sylvia,Sandy).zip.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\italian porn [free] .mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\SysWOW64\config\systemprofile\lesbian several models cock beautyfull (Gina,Anniston).zip.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\SysWOW64\FxsTmp\brasilian trambling big legs .mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\canadian hardcore animal girls lady .zip.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\fetish porn several models .avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse sperm sleeping sweet .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe

Drops file in Program Files directory 18 IoCs

Processes:

ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\brasilian lesbian fucking licking .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\trambling cum girls (Liz,Janette).mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files (x86)\Google\Temp\gay fetish licking feet granny .avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files\Common Files\microsoft shared\horse lesbian .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\cumshot cum [milf] balls .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\brasilian beast cumshot full movie (Kathrin,Kathrin).mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\russian beastiality gang bang licking stockings .mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\chinese blowjob beast several models titts ejaculation .avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\french animal gang bang lesbian glans (Kathrin,Tatjana).rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\brasilian horse [milf] sweet .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files\Microsoft Office\root\Templates\beast girls shower (Curtney).mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\kicking hidden ash hairy .avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\norwegian beast hidden .mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\fetish gang bang uncut vagina .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\russian handjob big .mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemeDownload\canadian action cum licking .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files (x86)\Google\Temp\GUM1CBD.tmp\cumshot xxx [milf] wifey .zip.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Program Files (x86)\Google\Update\Download\russian animal horse hot (!) granny .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe

Drops file in Windows directory 64 IoCs

Processes:

ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\japanese sperm gang bang licking gorgeoushorny (Gina,Tatjana).avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\swedish sperm beast [bangbus] .mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..itemplayer.appxmain_31bf3856ad364e35_10.0.15063.0_none_321f672489c5b007\beast animal big vagina 40+ (Jade).mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.15063.0_none_1895ea111f4e532b\norwegian kicking [free] .mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.14917.0_none_8eece50f24fd46c1\horse catfight black hairunshaved .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\PLA\Templates\chinese nude masturbation black hairunshaved .mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.15063.0_en-us_63f9db269c27aea6\indian animal gang bang sleeping blondie .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\sperm blowjob hot (!) cock castration .mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\sperm xxx voyeur sm .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.15063.0_none_4ba01b63d7ffbb2c\indian horse lingerie sleeping black hairunshaved .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.15063.0_none_08bf7f9e8bc2f9be\spanish kicking sperm voyeur .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.15063.0_none_001bfcdf5de51236\sperm girls hotel (Kathrin).avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.15063.0_none_823eedf24d7c94ef\bukkake hardcore catfight hole castration .mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.14917.0_none_3bd3f3051392f7d4\american beastiality [bangbus] .mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\fucking lesbian full movie .mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.15063.0_none_dc58dc5e4326d0f7\beastiality sperm licking .mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.15063.0_en-us_e8f8d0efa3ca43d8\cum big vagina YEâPSè& .mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.15063.0_none_fd61363b291ec882\brasilian trambling cumshot several models .zip.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.15063.0_none_d8c07703ded57c9e\black horse [milf] redhair .mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\SoftwareDistribution\Download\cum nude [free] ash blondie .mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.15063.0_none_8a81cc881a4e1ce3\cum girls (Tatjana,Liz).mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\gang bang public hairy .zip.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\german beastiality beast [bangbus] granny (Gina,Liz).mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.15063.0_none_39384d9f3be72de5\bukkake hot (!) ash pregnant .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.15063.0_none_15e137df821b01cf\lingerie catfight .avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15552.17062_none_2a7da49f7e9ba8db\spanish horse handjob several models penetration (Gina,Sarah).mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\american cumshot [milf] beautyfull .mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\CbsTemp\british gay lesbian lesbian .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.15063.0_none_2035e231b67bc3ca\brasilian trambling hidden (Samantha).mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\lingerie gang bang voyeur YEâPSè& (Melissa).mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..templayer.appxsetup_31bf3856ad364e35_10.0.15063.0_none_9921e5477e81b31d\french horse fetish voyeur latex (Sarah).zip.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.15063.0_none_21fd4bfdeda110b4\black sperm hidden nipples ash (Sandy,Samantha).mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\french hardcore [milf] titts femdom .avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.15063.0_none_09b84801cf18f260\german handjob sleeping femdom .zip.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.15063.0_none_778b43149fe461f5\swedish lingerie cumshot uncut leather .avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.15063.0_none_0e221877fd47eb56\xxx voyeur hairy .mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.15063.0_en-us_8c2ec72b9de99c9a\asian sperm fetish uncut black hairunshaved (Jenna).mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.15063.0_none_688980fe0ef48d36\american cumshot cumshot catfight hairy .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.14917.0_none_544360eea6679c6a\fucking animal masturbation feet penetration .avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.15063.0_none_2eebcee009477b68\british lingerie beast hidden feet .mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.15063.0_none_d2f2b61f3d92d78e\bukkake sleeping (Curtney,Liz).rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.15063.0_none_f5c7528d2984503b\british cum big hotel .zip.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.14917.0_none_3da35853c0403297\african lingerie [milf] titts .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.15063.0_en-us_beb2894aa158013a\sperm hardcore voyeur .mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.15063.0_none_de5d897605da0625\bukkake gay voyeur high heels .avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.15063.0_en-us_411b1c4b5e2d9003\canadian gang bang lesbian sleeping cock granny .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.15063.0_none_0437af998b0e208e\danish cumshot catfight sweet .avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.15063.0_none_55f4c5b60c607d27\asian gay porn big mistress .zip.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\ServiceProfiles\LocalService\Downloads\chinese beast several models .mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.15063.0_none_90c250ae7f2093cf\beast sperm uncut cock upskirt .mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.15063.0_none_a526c8c864b049af\horse [free] mistress (Britney).rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.15063.0_none_a6b148c63a40bbc9\nude kicking [milf] (Janette).mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\assembly\temp\german beastiality sleeping .zip.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\animal licking glans sweet .zip.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\InstallTemp\beastiality hot (!) blondie .avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\Downloaded Program Files\black beast action full movie femdom (Christine).mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.15063.0_none_fe6ad54c576237c3\british action [bangbus] .mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.15063.0_none_02cfe449f29e2cff\russian beast kicking public blondie .rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.15063.0_en-us_f500948426aea099\tyrkish handjob bukkake voyeur high heels (Ashley,Samantha).rar.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.15063.0_none_431935c9af4713a2\lingerie voyeur young .zip.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\french beastiality [milf] boobs beautyfull .avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\german action handjob [bangbus] legs mistress .mpg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.15063.0_none_9ad21e76304f87b4\kicking catfight (Ashley).mpeg.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.15063.0_none_43bc3732ce83692c\tyrkish animal lesbian latex (Christine).avi.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exeae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exeae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exeae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe

pid	process
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2416	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2416	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2416	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2416	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2416	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2416	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2416	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2416	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2416	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2416	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2416	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2416	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2416	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2416	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
2460	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exeae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe

description	pid	process	target process
PID 4048 wrote to memory of 1596	4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
PID 4048 wrote to memory of 1596	4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
PID 4048 wrote to memory of 1596	4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
PID 4048 wrote to memory of 2416	4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
PID 4048 wrote to memory of 2416	4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
PID 4048 wrote to memory of 2416	4048	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
PID 1596 wrote to memory of 2460	1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
PID 1596 wrote to memory of 2460	1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
PID 1596 wrote to memory of 2460	1596	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe	ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe

C:\Users\Admin\AppData\Local\Temp\ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
"C:\Users\Admin\AppData\Local\Temp\ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4048

C:\Users\Admin\AppData\Local\Temp\ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
"C:\Users\Admin\AppData\Local\Temp\ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
"C:\Users\Admin\AppData\Local\Temp\ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Users\Admin\AppData\Local\Temp\ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe
"C:\Users\Admin\AppData\Local\Temp\ae86be669c3a8634ea266fa32bb31d17e129f6415ae28641f50624a69584c334.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2416