675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
Size

2.0MB
MD5

1b1711724b0cca40296e38e42ded08bc
SHA1

0ab8c17f2a6e37547b1ab671ba98e05b62800a74
SHA256

675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696
SHA512

83b163b975025b5d0bb5d20b8d09ac4d1501001bf25e0d74af06524c4313b78ffd2dabb364bc6ff8b09a2ea5310a315ecd67831f31edff8654b9ba577d202dc2
SSDEEP

49152:BE1jTpAQmoni+XurXVFV0TMMqov/xNOrTVIL:qjTeQmSXuXxGNO/VIL

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233fc-4.dat	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\X:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\E:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\E:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\K:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\S:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\M:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\E:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\E:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\Q:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\V:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\B:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\I:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\S:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\G:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\R:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\Z:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\G:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\L:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\Z:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\U:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\A:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\M:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\H:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\S:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\Z:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\I:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\P:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\Y:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\V:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\Y:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\W:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\I:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\L:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\W:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\K:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\P:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\Q:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\H:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\Y:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\X:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\K:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\E:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\G:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\H:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\J:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\V:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\W:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\P:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\R:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\L:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\N:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\T:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\J:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\L:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\X:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\U:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\V:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\B:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\B:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\Q:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\V:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\L:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File opened (read-only)	\??\N:	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\swedish horse xxx [milf] gorgeoushorny .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\beast public leather (Britney,Karin).zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\FxsTmp\american cum sperm big titts .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\FxsTmp\lingerie hardcore sleeping (Sandy,Christine).mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\FxsTmp\trambling [milf] titts upskirt .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black cum lingerie [milf] (Janette).zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\IME\SHARED\danish fetish fucking licking hole balls .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\lingerie nude masturbation mistress .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\beastiality sleeping gorgeoushorny (Karin).rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\IME\SHARED\horse bukkake [milf] hole hotel (Sandy,Sarah).avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\System32\DriverStore\Temp\japanese handjob cumshot lesbian hotel .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\handjob sleeping latex .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\System32\DriverStore\Temp\brasilian horse gay full movie (Curtney).mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\japanese kicking horse hidden hole ash .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\russian horse trambling big feet (Gina,Sarah).avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\FxsTmp\swedish fucking full movie swallow .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\config\systemprofile\sperm girls granny .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\malaysia lesbian hot (!) high heels .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\beastiality [milf] .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\beast lesbian [free] beautyfull .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\gang bang sleeping sm .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\IME\SHARED\american handjob full movie pregnant .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\FxsTmp\indian kicking lesbian [milf] sweet (Gina,Tatjana).mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\IME\SHARED\russian cumshot hardcore big glans bondage .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\brasilian handjob beast [free] shower .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\IME\SHARED\indian fetish [milf] sm (Tatjana).zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\beastiality hardcore sleeping castration .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\horse cumshot catfight ash pregnant (Curtney).mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\FxsTmp\nude beast [milf] feet .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\config\systemprofile\blowjob xxx hidden .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\malaysia nude sleeping black hairunshaved .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\FxsTmp\gay fucking girls 40+ (Curtney).rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\african hardcore gang bang several models .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\russian handjob fucking uncut feet hairy .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\IME\SHARED\italian kicking bukkake girls hole (Sonja,Karin).mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\config\systemprofile\chinese animal horse hidden high heels .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\config\systemprofile\beastiality action catfight .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\System32\DriverStore\Temp\black cumshot sperm [free] leather .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\bukkake lingerie girls .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\asian horse horse hidden sm .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\config\systemprofile\danish lingerie fucking [free] hole .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\beast [milf] (Melissa).avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\bukkake [bangbus] titts gorgeoushorny .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\swedish nude beast hidden mature .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\japanese animal fucking [free] circumcision .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\sperm sperm [free] cock 50+ .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\config\systemprofile\russian porn gay hidden titts .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\IME\SHARED\hardcore kicking [milf] nipples shower .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\System32\DriverStore\Temp\danish horse voyeur cock .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\FxsTmp\british xxx uncut granny (Karin).mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\IME\SHARED\british fucking lesbian lesbian .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\FxsTmp\russian nude hardcore public .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\sperm voyeur (Melissa).avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\FxsTmp\kicking lingerie girls .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\System32\DriverStore\Temp\african sperm animal girls (Sonja,Melissa).zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\IME\SHARED\russian beast licking legs hotel .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\asian nude kicking uncut vagina .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\config\systemprofile\lesbian masturbation glans .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\config\systemprofile\hardcore voyeur hole .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SysWOW64\config\systemprofile\chinese beast uncut hole (Britney).rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\hardcore uncut latex .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Google\Temp\beast [bangbus] wifey .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\african cumshot handjob licking legs high heels (Liz,Janette).mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\animal hidden feet Œã (Liz).avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\beastiality [bangbus] leather (Anniston,Britney).mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\tyrkish kicking trambling [free] (Liz).rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\beast uncut glans .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Microsoft\Temp\sperm hot (!) titts sweet .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Common Files\microsoft shared\american animal fucking uncut .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\nude xxx catfight pregnant .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\hardcore sleeping feet YEâPSè& .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\japanese handjob xxx [bangbus] .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\danish horse trambling full movie cock sm .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\fetish catfight hole (Ashley).mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\french beast xxx girls nipples (Sandy,Melissa).mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\italian beastiality lesbian 50+ (Janette,Liz).avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\blowjob catfight (Tatjana).zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Microsoft\Temp\japanese nude beast lesbian (Anniston,Sonja).rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Common Files\microsoft shared\malaysia sperm hidden balls .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\danish handjob bukkake hot (!) hotel .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\swedish nude fucking licking fishy .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\chinese cum sleeping ash .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\dotnet\shared\kicking lingerie girls upskirt .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\russian action horse [free] (Curtney,Curtney).zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\hardcore gang bang full movie YEâPSè& .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Google\Temp\trambling fucking [free] latex .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\blowjob several models hole YEâPSè& (Sarah).avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\chinese fucking hot (!) cock femdom (Liz).mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\horse full movie hole shower .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\kicking [milf] legs .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\russian sperm beastiality sleeping shoes .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\spanish beastiality big nipples boots .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\spanish action kicking voyeur bedroom (Sonja,Janette).zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\norwegian fucking sleeping 40+ .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\horse hot (!) hole .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\Templates\lesbian [milf] cock balls (Sylvia).avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\brasilian action beast sleeping feet black hairunshaved .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Google\Temp\british gang bang public wifey .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Google\Update\Download\blowjob big glans ejaculation .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Common Files\microsoft shared\lesbian blowjob masturbation ash .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\dotnet\shared\canadian lingerie girls ash 40+ (Anniston).zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\canadian sperm cumshot public nipples .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\xxx several models bondage .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Common Files\microsoft shared\malaysia sperm hidden balls .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\dotnet\shared\fucking [bangbus] (Sylvia).rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\bukkake full movie feet fishy .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Microsoft\Temp\fucking [bangbus] glans (Sandy,Sylvia).rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\Templates\german nude blowjob several models 50+ .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\lesbian fetish sleeping ejaculation .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\nude [milf] stockings (Melissa).avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\hardcore [bangbus] .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\Templates\lesbian blowjob voyeur .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Microsoft\Temp\action hardcore catfight glans beautyfull .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\lingerie uncut swallow .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\japanese kicking gay hidden .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\japanese cumshot action [bangbus] ash bedroom (Anniston).mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\swedish horse lingerie catfight pregnant .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Google\Update\Download\swedish porn beast several models feet .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\brasilian nude lesbian hidden hotel .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\indian fetish voyeur mature .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\british cumshot fetish uncut legs (Britney,Christine).mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\danish lingerie beastiality hidden (Sandy,Sonja).zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Google\Temp\fucking voyeur feet sweet .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Program Files (x86)\Google\Temp\italian animal gang bang sleeping glans 40+ .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\german beastiality beastiality public cock YEâPSè& .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\blowjob action masturbation bedroom (Liz).avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\canadian hardcore cum [bangbus] .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\black beastiality cum girls leather .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\sperm beastiality sleeping .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\horse trambling hidden pregnant .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\xxx [free] (Karin).mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\blowjob full movie balls .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\tyrkish sperm lesbian catfight mistress (Sonja,Britney).mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\chinese beast animal hidden (Kathrin,Kathrin).rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\xxx [free] .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\blowjob porn sleeping (Melissa,Jenna).mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\gay horse voyeur vagina (Jenna).rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\fucking lesbian nipples .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\british nude horse uncut mistress .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\assembly\temp\russian animal horse public 50+ (Sonja,Samantha).mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\black action gay girls (Liz).avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\japanese beastiality sperm several models .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\french trambling uncut (Melissa).zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\asian gay catfight nipples (Kathrin,Christine).mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\black gay girls fishy .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\russian lesbian lingerie hidden Ôï .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\african action masturbation cock .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\danish gang bang lesbian sm .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\action hot (!) .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\african xxx licking glans young .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\brasilian gang bang bukkake lesbian titts hairy .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\tyrkish animal fucking several models glans balls (Liz).rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\spanish handjob several models titts (Sonja).rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\tyrkish trambling [free] Ôï .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\CbsTemp\spanish handjob gang bang lesbian .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\horse bukkake hidden wifey .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\lesbian sleeping legs leather .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\beastiality horse full movie (Sarah).avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\nude fucking lesbian feet .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\action hot (!) .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\bukkake kicking girls circumcision .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\brasilian handjob girls girly .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\american lesbian licking hotel .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\russian beastiality gay big shoes .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\japanese cum blowjob hidden cock fishy .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\norwegian cum girls black hairunshaved .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\xxx fetish catfight ash penetration .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\sperm big feet .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\security\templates\danish gang bang xxx hot (!) sm .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\brasilian beastiality bukkake licking .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\french lingerie lesbian (Curtney).mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\horse porn uncut legs (Sonja,Jade).zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\cum gang bang full movie ash .mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\brasilian handjob trambling hot (!) cock upskirt (Tatjana).mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\brasilian nude trambling sleeping .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\fetish blowjob masturbation mistress .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\russian bukkake masturbation legs mistress .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\german horse masturbation cock 50+ .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\beast bukkake hidden stockings .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\chinese horse public hole fishy .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\danish kicking blowjob licking glans .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\african horse big shower .zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\kicking beast [milf] castration .rar.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\beastiality beast masturbation .avi.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\spanish gay porn [free] boobs femdom .mpg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\african sperm hidden titts hairy (Karin).zip.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\british horse hot (!) hole leather (Jade).mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\norwegian fucking several models pregnant (Sonja,Sonja).mpeg.exe	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2720	672	WerFault.exe	80
2840	1484	WerFault.exe	86
776	3036	WerFault.exe	81
3424	2496	WerFault.exe	96
4932	4984	WerFault.exe	95

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 3036	672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	81
PID 672 wrote to memory of 3036	672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	81
PID 672 wrote to memory of 3036	672	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	81
PID 3036 wrote to memory of 1484	3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	86
PID 3036 wrote to memory of 1484	3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	86
PID 3036 wrote to memory of 1484	3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	86
PID 1484 wrote to memory of 4984	1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	95
PID 1484 wrote to memory of 4984	1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	95
PID 1484 wrote to memory of 4984	1484	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	95
PID 3036 wrote to memory of 2496	3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	96
PID 3036 wrote to memory of 2496	3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	96
PID 3036 wrote to memory of 2496	3036	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	96
PID 2496 wrote to memory of 4252	2496	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	101
PID 2496 wrote to memory of 4252	2496	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	101
PID 2496 wrote to memory of 4252	2496	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	101
PID 4984 wrote to memory of 1936	4984	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	102
PID 4984 wrote to memory of 1936	4984	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	102
PID 4984 wrote to memory of 1936	4984	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	102
PID 1936 wrote to memory of 2024	1936	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	107
PID 1936 wrote to memory of 2024	1936	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	107
PID 1936 wrote to memory of 2024	1936	675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe	107

C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
"C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:672
- C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
  "C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe"
  2⤵
  - Checks computer location settings
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
    "C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe"
    3⤵
    - Checks computer location settings
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
      "C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe"
      4⤵
      Checks computer location settings
      Enumerates connected drives
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:4984
    - - C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
        
        "C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
        
        "C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe"
        6⤵
        
        PID:2024
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1380
        5⤵
        Program crash
        
        PID:4932
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1368
      4⤵
      Program crash
      PID:2840
- - C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
    "C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe"
    3⤵
    - Checks computer location settings
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe
      "C:\Users\Admin\AppData\Local\Temp\675658949f81fa6f8d20d4f9e0fe0492f7e77ff3d5f2b9b027c54db9ee1b1696.exe"
      4⤵
      PID:4252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1420
      4⤵
      Program crash
      PID:3424
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 1516
    3⤵
    - Program crash
    PID:776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 1188
  2⤵
  - Program crash
  PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 672 -ip 672
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1484 -ip 1484
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3036 -ip 3036
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2496 -ip 2496
1⤵
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4984 -ip 4984
1⤵
PID:812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\japanese cumshot action [bangbus] ash bedroom (Anniston).mpeg.exe

Filesize
1.7MB

MD5
b088d2df720444f94fcae27d820e53be

SHA1
187111450187a0794af5e566036487cba1035967

SHA256
75ee4d5f4a80d6869351ae75a9fb4330e03cccc84fe67f95a7aad6e165bda08e

SHA512
6c463febfb46460850a432d93c71d138b13f7e784e956effa13b2dea11b2e7af159e5269750b02145a0e15bc7144d8b25e509492985d3ad94d1489db89982f8b

Download Submit
C:\debug.txt

Filesize
201B

MD5
b6123395d2c3f356e2323f1a04d38917

SHA1
2075061f23e686b7b25160e6d2a664fee2a446f6

SHA256
5973e9bac37c343bc8ab444a6498c91fced02e31de093ae5e5dd0f275d95abf3

SHA512
f163d102fb34a7e8efe60fbc3ba5b8048ace0dd8fa1ab9af7c3b8a238a2edd5830884924509e4f9eafc90bf1b1a1e1c25a0824013cf19e612a738b414fbc155a

Download Submit
C:\debug.txt

Filesize
312B

MD5
06ba44b2c4619672be7e72c3dab447fb

SHA1
e964759b70948ef5bd7e67e7ce82dc14b0f7a2b4

SHA256
8776baf3a519ed8cebc5048d0fbeaa5887e411af2112d6849b1e291ae2f83fa6

SHA512
1a906b622104a38b034287bfe98ad690f8981d61963c1009218732a746031fbcd16e2566e5f887a6a76fb5eff654664ceb26d8fbba1d1fb7d51c29f6c702c8d2

Download Submit
C:\debug.txt

Filesize
423B

MD5
0def964baba0c3fd560e4aebb7d1e45f

SHA1
6a0bc0d8ad24d7923c622a8a5011ff9c14ed8690

SHA256
20feac8a135c64dd144f1ff48e0bae1d5bd45962f1f853c8f3b55091e32e20f2

SHA512
da0678c11a4ed18fca819077a3c933a4603e2ed5cef65482d603559cd0b211eddf53b1575ad7a320283c0770a386c4c4d52847530b38fad43933f1cad8c2bc58

Download Submit
C:\debug.txt

Filesize
493B

MD5
9ed993e5d604e807ab63ca2e9e7c7824

SHA1
f94e11dfab203c2e7c57eb2807c35229037abc73

SHA256
54888899d35e287aeab584e88b0b38c2a9b8029fb33b64ad94e2e2a186d3cf94

SHA512
a56310683358cdbc58a2289247b94b53028fd98335c928c53a8a34a7bb655b202ce3db3394d33b5b35ed601c9b5e0f750482d352dda243a7dc02887fc2c8ee71

Download Submit
C:\debug.txt

Filesize
604B

MD5
fd9366c41f7804402b3096e937925dea

SHA1
6098097529821690ff2dbcdba0d1308355a33aee

SHA256
a36117cf1742022ab1aa8a7b51d444b3a8d5f864bf93ae40adb62e9e001256cb

SHA512
6d12ffe99370d98935b37149045019b20135fca2dea0f73d737562593250cabab2e79623207cb7f4b2fc295ae17f57be606dffcd965147193a51422d6ea55b12

Download Submit
C:\debug.txt

Filesize
698B

MD5
8e890b10cd3689d09263f09bb08ba39a

SHA1
5a37bccb7deb1a25157006e2cf33f300e27c79df

SHA256
e969fbfa72730384ea15683d3530eeb63d1e56b39cf89592b2334c636f86e70c

SHA512
70f614c6e0ff2d21e08bc1777253a3cabd3ab7c4bb50daabd80c8c3e5d48348beb3d401eaa6b93bd72652a5587bf81f1a9c975d5d584448c6bfaa24364f4bfbb

Download Submit