ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
Size

1.0MB
MD5

39991eda724097124f9070467b85b5cd
SHA1

6a749fce43ad2642273b9e8853abef43b662cac5
SHA256

ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0
SHA512

5d6433fb5006fc13306072b820247b2b046feb0462d28e03ae2d6dd0c3294e78954f02bc0a5a435c587ce48cde85b88e98cea169a15239767731985d079c6103
SSDEEP

24576:lq8vm3KJNoEmls3LwVAVmxjcoYRHP8TgAMtAqYM:Hm3KJNSls7wVAkVBY988AUA9M

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 17 IoCs

resource	yara_rule
behavioral2/memory/628-12-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/3664-13-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1536-55-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/4740-58-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/628-59-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/628-84-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/628-159-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/628-176-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/628-198-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/628-202-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/628-206-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/628-210-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/628-214-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/628-222-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/628-226-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/628-232-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/628-235-0x0000000000400000-0x000000000041C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 20 IoCs

resource	yara_rule
behavioral2/memory/628-0-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/files/0x0007000000023270-5.dat	UPX
behavioral2/memory/4740-11-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/628-12-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/3664-13-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/1536-55-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/4740-58-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/628-59-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/628-84-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/628-159-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/628-176-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/628-198-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/628-202-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/628-206-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/628-210-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/628-214-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/628-222-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/628-226-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/628-232-0x0000000000400000-0x000000000041C000-memory.dmp	UPX
behavioral2/memory/628-235-0x0000000000400000-0x000000000041C000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\M:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\O:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\U:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\S:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\V:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\W:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\X:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\A:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\I:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\J:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\P:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\Z:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\E:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\K:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\R:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\T:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\Q:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\Y:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\B:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\G:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\H:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File opened (read-only)	\??\N:	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\chinese beastiality [bangbus] bondage (Gina,Samantha).rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\System32\DriverStore\Temp\kicking licking mature .mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\spanish sperm beast girls hotel .zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\SysWOW64\config\systemprofile\malaysia beast cum full movie boobs mature (Ashley).mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\french blowjob licking ash .avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\SysWOW64\IME\SHARED\norwegian xxx several models ash .rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american gang bang fucking sleeping ash shower (Janette).avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\SysWOW64\FxsTmp\italian animal handjob hot (!) (Samantha,Gina).mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\SysWOW64\IME\SHARED\asian cum xxx full movie boobs high heels .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\chinese gay hot (!) .zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\asian handjob beast several models femdom .avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\SysWOW64\FxsTmp\sperm [bangbus] femdom .zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\beastiality several models nipples mature .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\blowjob voyeur (Sarah,Jenna).rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\british nude licking (Kathrin,Sylvia).zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\blowjob voyeur traffic .avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files\dotnet\shared\russian cumshot fucking [milf] titts black hairunshaved .rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{A22979E4-D188-4AF0-A888-04FE21284B11}\EDGEMITMP_19EA3.tmp\handjob [free] (Britney,Curtney).avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\norwegian kicking full movie bondage .rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\cumshot lesbian leather .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\cumshot lesbian lesbian .avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files (x86)\Google\Update\Download\trambling girls cock stockings (Samantha).mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\tyrkish beastiality hot (!) legs (Sandy).avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files (x86)\Microsoft\Temp\lingerie [free] nipples .avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\swedish beast hot (!) hole .mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files\Microsoft Office\root\Templates\german handjob cumshot lesbian titts .mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\brasilian gang bang xxx catfight hole 40+ (Jade).rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\blowjob sperm catfight .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\beast porn several models redhair .zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files (x86)\Google\Temp\american horse full movie ash granny .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Program Files\Common Files\microsoft shared\sperm voyeur fishy (Jade,Ashley).zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\action cumshot [milf] cock beautyfull .zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\canadian lingerie several models boots (Sonja,Sonja).zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\american xxx girls .rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\black cum kicking sleeping legs lady (Sylvia).zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\french beastiality cum sleeping gorgeoushorny .zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\japanese hardcore kicking lesbian circumcision .rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\malaysia lingerie fucking masturbation 40+ .mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\trambling nude [free] (Curtney,Jade).zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\cumshot gay public YEâPSè& .zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\indian blowjob trambling public glans balls .mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\italian fetish [milf] traffic .rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\tyrkish xxx horse full movie titts high heels .mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\british cumshot hardcore public nipples (Ashley).mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\african handjob sleeping mistress .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\black kicking xxx licking titts YEâPSè& .mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\danish blowjob fucking big ash beautyfull (Sarah).rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\black horse girls glans Ôï .rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\trambling uncut legs bedroom .avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\lesbian horse masturbation vagina .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\japanese fucking gang bang lesbian boobs (Ashley,Sonja).zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\assembly\tmp\horse lesbian .avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\InputMethod\SHARED\african hardcore porn several models ash (Sandy,Christine).rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\horse gang bang full movie (Ashley,Sandy).mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\cumshot bukkake girls .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\malaysia sperm horse masturbation .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\brasilian xxx licking stockings .avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\beastiality lesbian .rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\german hardcore hidden mistress .avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\canadian sperm big black hairunshaved .avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\PLA\Templates\trambling gang bang [free] ash (Ashley).avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\african horse masturbation latex .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\black horse beastiality catfight vagina latex .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\indian lingerie big .avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\french beast public .mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\canadian lingerie voyeur .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\gang bang masturbation nipples sm (Sonja).mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\canadian kicking sleeping cock .rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\cumshot uncut (Tatjana,Janette).mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\spanish lesbian sleeping circumcision (Anniston).mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\tyrkish nude animal catfight (Jenna,Liz).mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\horse [bangbus] femdom .zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\russian gang bang girls glans Ôï (Jade,Britney).rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\Temp\french gay xxx full movie ejaculation (Britney).mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\russian handjob beastiality full movie .mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\Downloaded Program Files\asian handjob beast public vagina shoes .avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\handjob masturbation ash sweet .rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\swedish horse full movie boobs bedroom (Anniston,Ashley).mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\malaysia blowjob kicking hidden (Sylvia).mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\InstallTemp\gang bang cum voyeur .avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\french kicking kicking catfight legs wifey (Sonja,Tatjana).mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\american sperm blowjob hidden bondage .mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\canadian cum girls vagina stockings (Anniston,Anniston).rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\indian lingerie porn [milf] black hairunshaved .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\tyrkish porn lesbian upskirt .zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\british cumshot nude [free] vagina shoes .zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\beast [milf] .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\black beastiality sleeping glans .mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\italian cumshot nude girls penetration .mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\asian horse porn public gorgeoushorny (Christine).zip.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\blowjob kicking public hole (Ashley,Christine).mpeg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\black handjob sleeping mistress (Kathrin,Jenna).mpg.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\chinese kicking gang bang public cock .avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\african blowjob lesbian boobs latex (Jade).avi.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\black horse cum masturbation nipples circumcision (Anniston,Karin).rar.exe	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
3664	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
3664	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
3664	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
3664	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
3664	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
3664	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
3664	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
3664	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
3664	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
3664	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
3664	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
3664	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
3664	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
3664	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
4740	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 1536	628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe	91
PID 628 wrote to memory of 1536	628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe	91
PID 628 wrote to memory of 1536	628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe	91
PID 628 wrote to memory of 4740	628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe	92
PID 628 wrote to memory of 4740	628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe	92
PID 628 wrote to memory of 4740	628	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe	92
PID 1536 wrote to memory of 3664	1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe	93
PID 1536 wrote to memory of 3664	1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe	93
PID 1536 wrote to memory of 3664	1536	ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe	93

C:\Users\Admin\AppData\Local\Temp\ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
"C:\Users\Admin\AppData\Local\Temp\ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
  "C:\Users\Admin\AppData\Local\Temp\ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
    "C:\Users\Admin\AppData\Local\Temp\ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3664
- C:\Users\Admin\AppData\Local\Temp\ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe
  "C:\Users\Admin\AppData\Local\Temp\ffe0ad3d96f29884229cfec300254817ed0d20e6545a2524ce903ccb957a3eb0.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\beastiality several models nipples mature .mpeg.exe

Filesize
2.0MB

MD5
67ee35eed175f08a06476ead6d04b826

SHA1
85c30d27e36a70749c2215a8ba1f92a6b7df27d6

SHA256
39c76307341b41836f416946533961064201977842769f6d40a67a3ce52c2a63

SHA512
a80518670fff33ba3e4abd6a70629f94160e618241a172fd4cdd1812847409149f52f714a3e300ec07e380066c3042e774a09f5c376166f0057de893ecce5160

Download Submit
memory/628-214-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/628-210-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/628-12-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/628-176-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/628-235-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/628-232-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/628-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/628-84-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/628-226-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/628-198-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/628-222-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/628-202-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/628-206-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/628-159-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/628-0-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1536-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3664-13-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4740-11-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4740-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download