913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42

Analysis

max time kernel
150s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
Size

471KB
MD5

d973614d4cac301358263701ff674963
SHA1

9126bdac6de090d1f4d9c1cde85daa933345eb45
SHA256

913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42
SHA512

4129b75063ca45c6f8c4153c6ca92f556dfd3d860510b63aa80a3704b9d97e4aaa5b118eca1a24f03126848ec7fd713af0a81183cd348ac8e6fc3f951a0e21b8
SSDEEP

12288:JXCNi9BVcvXy6sPPyo45dZqNwlG7MEYTUso9nWp489+:sWCvkPPyX58w6M6sQnWp489+

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002342b-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\A:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\G:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\O:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\X:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\T:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\Z:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\N:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\U:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\I:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\V:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\L:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\M:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\I:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\B:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\J:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\R:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\R:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\Y:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\L:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\Q:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\Z:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\Q:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\X:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\V:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\W:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\S:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\K:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\K:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\E:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\W:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\H:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\A:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\H:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\P:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\A:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\H:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\E:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\G:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\R:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\N:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\Q:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\S:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\P:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\T:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\E:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\U:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\L:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\T:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\I:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\S:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\J:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\S:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\Z:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\X:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\Y:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\Y:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\K:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\W:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\Q:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\V:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\K:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\N:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File opened (read-only)	\??\W:	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish cumshot sperm several models hairy .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\System32\DriverStore\Temp\malaysia lesbian bukkake hidden .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\System32\DriverStore\Temp\russian porn blowjob [free] hole 40+ .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\FxsTmp\bukkake licking shower .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\african horse public nipples shower .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\System32\DriverStore\Temp\danish fetish blowjob public feet .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\indian action hardcore sleeping titts latex .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\System32\DriverStore\Temp\gay trambling [milf] titts .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\spanish kicking big Œã .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\IME\SHARED\xxx full movie young .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\hardcore uncut (Janette).rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\config\systemprofile\trambling gang bang public redhair .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\FxsTmp\italian gay [free] sweet .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\config\systemprofile\norwegian kicking action full movie boobs (Samantha).mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\fucking [free] fishy .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\IME\SHARED\sperm several models boots .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\FxsTmp\african nude sleeping .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\IME\SHARED\italian action horse masturbation .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\danish handjob blowjob full movie latex .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\config\systemprofile\swedish handjob beast licking (Samantha).zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\cumshot porn sleeping .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\IME\SHARED\swedish action trambling girls glans high heels (Curtney).mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\FxsTmp\nude lingerie big young .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\russian xxx kicking big boots .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\japanese cum xxx masturbation upskirt .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish horse xxx voyeur (Jade,Sarah).mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lingerie catfight (Sylvia).mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\swedish cum trambling uncut femdom .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\IME\SHARED\italian animal lingerie public feet .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\swedish cum lingerie lesbian .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\config\systemprofile\horse lesbian masturbation .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\japanese kicking nude uncut castration .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\IME\SHARED\indian animal sperm masturbation 50+ .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\IME\SHARED\black lingerie cumshot licking cock swallow .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\hardcore [milf] high heels .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\config\systemprofile\beast hot (!) hotel .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish nude sperm [free] titts .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\american porn beast licking black hairunshaved .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\config\systemprofile\bukkake hidden (Sylvia).mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\chinese cumshot lesbian voyeur sweet (Sonja).zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\blowjob big blondie .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\indian cumshot xxx sleeping cock hairy (Melissa).mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian action beast hot (!) .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\indian gang bang hardcore licking gorgeoushorny .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\FxsTmp\russian animal hardcore [bangbus] wifey .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\FxsTmp\fetish gang bang full movie hotel (Curtney,Christine).zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\FxsTmp\danish cum hardcore big .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\IME\SHARED\horse full movie ash .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\asian animal animal several models vagina (Sylvia).avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\config\systemprofile\swedish fetish fucking catfight swallow .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\tyrkish cumshot bukkake [milf] cock femdom (Sarah).mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\IME\SHARED\african nude hidden .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\FxsTmp\black kicking fucking licking glans girly (Samantha).mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\italian cum sperm voyeur hotel .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\FxsTmp\american hardcore sleeping mistress (Ashley).rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\FxsTmp\cum xxx [free] (Karin).mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\IME\SHARED\russian beastiality horse hidden .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\horse voyeur .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\System32\DriverStore\Temp\brasilian beastiality gay public sweet (Sandy,Janette).avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\brasilian fetish beast licking titts high heels .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\horse hardcore masturbation cock .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Google\Temp\russian handjob bukkake masturbation cock redhair .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\dotnet\shared\italian action bukkake lesbian hole (Sonja,Tatjana).avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Common Files\microsoft shared\beast trambling [free] legs redhair .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Common Files\microsoft shared\handjob beast full movie feet leather .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\bukkake beastiality masturbation feet .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\fucking cumshot full movie .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Google\Update\Download\italian nude [bangbus] cock .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\dotnet\shared\horse hot (!) titts .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Google\Update\Download\japanese horse sperm [free] (Tatjana).mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\dotnet\shared\norwegian lesbian animal [bangbus] hole (Curtney,Sonja).mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\italian trambling beast girls (Sonja).mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\trambling sleeping hole fishy .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\italian fucking blowjob masturbation .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\Templates\xxx big (Sarah).mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\italian cum beast uncut titts .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\african gay bukkake full movie cock .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Google\Update\Download\danish xxx xxx hot (!) stockings .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\beast sleeping (Sylvia).mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\Templates\american beastiality [bangbus] .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\russian blowjob [bangbus] glans (Britney,Liz).mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\swedish cum full movie granny .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\gay sleeping traffic .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\fucking lesbian hairy .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\tyrkish gang bang sperm lesbian hole femdom .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\japanese fetish sleeping .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\asian action public boobs latex .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\american beast beastiality [bangbus] feet hairy .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\lesbian catfight (Samantha).mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\indian horse hardcore several models feet gorgeoushorny .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\dotnet\shared\indian cum lingerie [bangbus] titts balls .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\black handjob beast masturbation .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\gay lesbian bedroom .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\british fucking masturbation .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\hardcore public girly .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\xxx sleeping cock girly .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\lingerie uncut titts blondie (Karin).avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\gay voyeur feet young (Liz).zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Google\Temp\brasilian beastiality fucking catfight pregnant .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\brasilian porn several models fishy (Sandy,Liz).zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\brasilian handjob fucking [milf] .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\danish gang bang horse several models .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\german hardcore girls shower .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\tyrkish nude hardcore hidden feet castration .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\italian animal lesbian [milf] (Jade).rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\japanese handjob lingerie catfight black hairunshaved (Sonja,Jade).zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\beast [free] .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\beast [free] 40+ (Britney,Jade).avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\indian beastiality fucking voyeur titts (Sandy,Jade).avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\nude hardcore lesbian (Jade).zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\norwegian sperm voyeur feet pregnant .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\beast xxx licking stockings .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\russian handjob hardcore masturbation feet shower .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\hardcore public feet ejaculation (Karin).zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\black horse trambling uncut cock shower .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\black gang bang trambling licking nipples sm .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\german trambling sperm lesbian (Karin).rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Common Files\microsoft shared\french lingerie uncut .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\xxx catfight (Melissa).avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\black horse lingerie [bangbus] hole .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\russian lesbian several models legs fishy .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\handjob nude uncut titts (Jenna,Janette).rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Common Files\microsoft shared\tyrkish action beast [bangbus] titts .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Program Files\Microsoft Office\root\Templates\horse hidden titts fishy .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\xxx big (Curtney).rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\chinese horse sleeping .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\porn fucking big hole .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\porn lingerie voyeur cock 40+ (Melissa).mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\sperm big gorgeoushorny .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\lesbian hidden lady .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\bukkake [free] redhair (Samantha).rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\black porn voyeur (Sylvia).mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\british sperm several models boots .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\malaysia horse [free] hole leather (Melissa).zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\bukkake big ejaculation .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SoftwareDistribution\Download\canadian animal girls .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\fucking bukkake [bangbus] nipples .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\blowjob [milf] .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\beast full movie .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\spanish xxx [free] YEâPSè& .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\american beastiality gay [milf] castration (Ashley,Jade).mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\cum gay voyeur .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\spanish beast [bangbus] .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\swedish lesbian girls .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\brasilian cumshot horse masturbation hole YEâPSè& .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\xxx public feet .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\german lesbian big granny .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\fetish xxx voyeur .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\gay hot (!) YEâPSè& (Gina,Anniston).avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\indian cumshot fucking voyeur fishy .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\cumshot sperm voyeur (Sandy).zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\kicking bukkake several models young .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\beastiality hot (!) nipples 50+ (Liz,Samantha).mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..mon-sharedresources_31bf3856ad364e35_10.0.19041.1_none_5417ea1f38dbb76b\african trambling hidden feet wifey (Jade).avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\french hardcore lingerie voyeur glans hairy .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\action hidden .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\kicking [free] feet .mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\british gay girls .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\african nude [bangbus] .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\american fetish hidden castration .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\blowjob blowjob licking titts Ôï (Melissa).avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\lingerie lesbian cock mature (Melissa).mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\black hardcore full movie nipples femdom .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\kicking handjob several models ash castration .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\danish trambling [milf] cock penetration .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\tyrkish nude gay sleeping girly .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\lesbian lesbian ash (Kathrin,Sarah).rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\InstallTemp\porn bukkake sleeping (Sarah).mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\horse catfight boobs traffic .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\sperm [free] feet .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\horse [milf] .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\british gay [free] hotel .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\asian lingerie nude voyeur boobs .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\Temp\swedish horse uncut titts circumcision (Sonja,Jenna).mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\british horse licking cock girly (Samantha).mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\Downloaded Program Files\indian cum horse public (Jade).zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\brasilian gang bang trambling catfight titts gorgeoushorny .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\japanese cumshot lingerie lesbian bedroom .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\japanese action lingerie [milf] mistress .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\xxx girls blondie .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\canadian blowjob [milf] (Melissa).avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\xxx [free] feet balls .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\fucking hardcore girls .mpg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\japanese handjob sperm full movie Ôï .rar.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\asian sperm [bangbus] (Curtney).mpeg.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\cumshot trambling lesbian bondage .zip.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\blowjob porn voyeur .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\indian trambling masturbation cock bondage .avi.exe	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
1048	2632	WerFault.exe	80
2920	4648	WerFault.exe	84
5068	396	WerFault.exe	85
3276	4904	WerFault.exe	92
1472	5076	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 4648	2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	84
PID 2632 wrote to memory of 4648	2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	84
PID 2632 wrote to memory of 4648	2632	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	84
PID 4648 wrote to memory of 396	4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	85
PID 4648 wrote to memory of 396	4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	85
PID 4648 wrote to memory of 396	4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	85
PID 4648 wrote to memory of 5076	4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	91
PID 4648 wrote to memory of 5076	4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	91
PID 4648 wrote to memory of 5076	4648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	91
PID 396 wrote to memory of 4904	396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	92
PID 396 wrote to memory of 4904	396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	92
PID 396 wrote to memory of 4904	396	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	92
PID 5076 wrote to memory of 4588	5076	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	98
PID 5076 wrote to memory of 4588	5076	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	98
PID 5076 wrote to memory of 4588	5076	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	98
PID 4904 wrote to memory of 3648	4904	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	99
PID 4904 wrote to memory of 3648	4904	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	99
PID 4904 wrote to memory of 3648	4904	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	99
PID 3648 wrote to memory of 3336	3648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	104
PID 3648 wrote to memory of 3336	3648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	104
PID 3648 wrote to memory of 3336	3648	913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe	104

C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
"C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
  "C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe"
  2⤵
  - Checks computer location settings
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
    "C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe"
    3⤵
    - Checks computer location settings
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:396
  - - C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
      "C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe"
      4⤵
      Checks computer location settings
      Enumerates connected drives
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
        
        "C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3648
      - C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
        
        "C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe"
        6⤵
        
        PID:3336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1284
        5⤵
        Program crash
        
        PID:3276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1348
      4⤵
      Program crash
      PID:5068
- - C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
    "C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe"
    3⤵
    - Checks computer location settings
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe
      "C:\Users\Admin\AppData\Local\Temp\913ad33937f9cb469cbde4cf092d777cf829be7b1fe2c9fc767807dd800d5c42.exe"
      4⤵
      PID:4588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1356
      4⤵
      Program crash
      PID:1472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 1356
    3⤵
    - Program crash
    PID:2920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 1320
  2⤵
  - Program crash
  PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2632 -ip 2632
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4648 -ip 4648
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 396 -ip 396
1⤵
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4904 -ip 4904
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5076 -ip 5076
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\lesbian catfight (Samantha).mpg.exe

Filesize
1.6MB

MD5
5a8b65a3d38469518b4b88499a91b081

SHA1
77ca3175ef8abe78c820d42d42ade5d436492808

SHA256
12d2617014204934496b681b190a6817053811c9b94193b86462a74e0028d15c

SHA512
9eb9bd90a7d5a3045d892d68e349de4f0502228df650047f970347e5aab86541a1ef8932e3a759a88f0986356063957650fa5304fa73fbb30c8086cdce8c0078

Download Submit
C:\debug.txt

Filesize
216B

MD5
1cbd75998aaa2d7a7534d254a0b34bdf

SHA1
e7abd6acc7a7fd1f631eab1811e3c8dac0fb1f52

SHA256
4a9cde893d71f07fc072618d15f17ac2c7c82e1f16451fc3541f73a7abd86c19

SHA512
b1f55661598539e6dd81bd576ccf008f3d28d591c5fece1299a71b37d08d21ed0127055dd333989f8d2fd81fad4ffdddfe0f4131bacb86df13492d47d7925bc4

Download Submit
C:\debug.txt

Filesize
364B

MD5
b133ccfc3a5ecdd30b0e56374f3d6c3d

SHA1
9f3fa36e60b28b086818c791d58ec580dd0aaff0

SHA256
4662f7d40fdeb91707e004737c91f49d87b7083dfa9fef40954b8b5d00b7570e

SHA512
58a089fe34dd933dea381bd400d351bfd8cf8ed25820f1f1405f6464be94f12ee36fc4b896cec48f5d31a39ee6f143fc2337bfd4b27f2c56bb076dfdd71ae0f8

Download Submit
C:\debug.txt

Filesize
488B

MD5
f2b0259b187a5729eb788c1cc4b6f22e

SHA1
da36bfc2b3525f5becb6ede6f081bc3cb24c16fb

SHA256
41a24fa96606eb823e0974deeb9435ddb7f9e39045b3300d481fd9e26228824c

SHA512
b0cf022dee46299930be94f7b46e06ffe81859231592cf407ae6ad252ab5f08179f6792f419882a2304b619bc8298ea13138ca76a4e36ce2be2646a55e6c650d

Download Submit
C:\debug.txt

Filesize
599B

MD5
161945b479668cbb22f515f407e5be99

SHA1
f710ba65f53bbdc702186ce8b0c7370e2166e774

SHA256
db0217acc2fb6eb6a491517cc1dd82ecf1dde102d2fc05a7c4c6f9ee40190f6e

SHA512
4c64c79961b686ce5b87cc4b20b8da70f9ae5825c39019ff903868f8ac3242f173c0eb3186f47d61743fb5848558639793d481414c43a2b1fc0a61998f8e71a5

Download Submit
C:\debug.txt

Filesize
710B

MD5
a0c654fb7f38299172d42cc3647b024f

SHA1
f391f786206ca2dcaf63f92ce1d9e815ff257ed7

SHA256
007868044e400b0c560bd2e993010f27c175f1fcb861c42ebbd455b949c02064

SHA512
17ab2c38e4454eb9ffffea3650dd55b007d44d79703631c3f7fc9ab13d59a135230a2a5b37cfb3c10ad4c03c75f48752ebe7e74ac17041d6387a6d81e245629c

Download Submit