f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
Size

1.9MB
MD5

ac02bdf47c1bf332ec1c128eb5bf1daa
SHA1

d98389f89d70e0a52af0c694cbcc0521cf62f4ef
SHA256

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9
SHA512

cdf678061bfb17f344d9ad914f9278e3bbaf04a3bf80c8fc9f53225bf8e005729850096fa8f9fd425b3d2d40fe46543843e883b2039691cb6ee1fde9323198e3
SSDEEP

49152:CsonjgfeMymYptKbmjzktSI5JUT42+JQPvj1/cEZF3:g5MymYGfG4vkvjJ3

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

Processes:

resource yara_rule

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\japanese action fucking sleeping (Liz).rar.exe INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

resource	yara_rule
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\japanese action fucking sleeping (Liz).rar.exe	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exef461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exef461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

description	ioc	process
File opened (read-only)	\??\B:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\H:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\M:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\O:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\R:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\V:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\Y:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\Z:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\G:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\I:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\J:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\L:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\U:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\E:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\K:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\Q:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\T:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\W:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\A:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\N:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\P:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\S:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File opened (read-only)	\??\X:	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Drops file in System32 directory 12 IoCs

Processes:

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\asian horse sperm big (Gina).mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\System32\DriverStore\Temp\swedish fucking masturbation mature (Samantha).rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\FxsTmp\cum hidden cock 40+ .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\IME\SHARED\danish fetish lesbian .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\hardcore cumshot hidden nipples shower .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\gang bang uncut (Melissa).zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\german lesbian [free] (Gina).rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\african cumshot [free] nipples .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\config\systemprofile\american bukkake full movie .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\FxsTmp\malaysia lesbian trambling [bangbus] sweet .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\IME\SHARED\brasilian fucking uncut wifey .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american horse [free] shower .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Drops file in Program Files directory 18 IoCs

Processes:

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\bukkake catfight pregnant .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files\dotnet\shared\kicking action sleeping glans circumcision .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\fucking [milf] feet swallow .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\spanish blowjob porn [bangbus] .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\gang bang fucking public leather .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\chinese horse hidden cock hairy .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Google\Temp\japanese gang bang gay several models .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Google\Update\Download\german lesbian lesbian redhair .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Microsoft\Temp\lesbian bukkake full movie balls .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\bukkake hardcore hidden blondie .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files\Common Files\microsoft shared\spanish bukkake fucking licking nipples .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\japanese action fucking sleeping (Liz).rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\xxx masturbation nipples .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\russian nude uncut titts (Sylvia,Curtney).zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\malaysia gang bang several models beautyfull .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files\Microsoft Office\root\Templates\beastiality masturbation boots .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\cumshot porn public legs high heels .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\asian cum beastiality full movie .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Drops file in Windows directory 64 IoCs

Processes:

f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

description	ioc	process
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\black sperm animal [milf] vagina redhair .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\italian action blowjob big black hairunshaved (Ashley).avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\british trambling hot (!) ejaculation (Anniston,Jade).mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\xxx lingerie uncut balls .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\swedish bukkake beast several models .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\swedish cumshot licking ash .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\lingerie voyeur redhair .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\porn [free] .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\american fucking masturbation traffic .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\gay fetish [free] glans swallow (Melissa).avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\african horse full movie upskirt .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\swedish kicking sperm catfight (Anniston).mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\CbsTemp\indian kicking lingerie hot (!) glans .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\russian gay handjob licking feet .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\fetish gang bang catfight nipples 50+ .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\brasilian xxx gay [milf] (Sonja,Curtney).rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\horse horse big traffic .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\beastiality masturbation leather .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\canadian horse trambling public shoes .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\canadian nude porn girls upskirt .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\cum catfight feet fishy .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\african horse several models stockings (Tatjana).mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\blowjob [milf] gorgeoushorny .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\hardcore fucking public (Jade).mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\InputMethod\SHARED\cumshot cum girls legs shoes .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SoftwareDistribution\Download\SharedFileCache\canadian lingerie nude big granny .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\japanese fucking girls .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\handjob hardcore several models .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\american trambling voyeur cock (Sarah).avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\brasilian beastiality beastiality uncut young .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\russian horse uncut .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_en-us_8dd6053a0a5910eb\handjob voyeur circumcision .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\african handjob gay girls .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\lingerie sperm voyeur high heels (Kathrin,Karin).avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\indian cumshot sperm sleeping nipples stockings .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\canadian gay animal hidden mistress (Jade,Tatjana).zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\russian fucking hot (!) .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\indian cum fetish [bangbus] .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\cum fetish [milf] (Janette).mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\norwegian fetish gang bang voyeur swallow .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\animal masturbation cock .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\lesbian horse several models cock sweet (Janette,Christine).avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SoftwareDistribution\Download\indian kicking beast [bangbus] .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\swedish beastiality masturbation .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\danish gang bang big sweet (Anniston).zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\asian fetish cumshot [milf] sm .mpg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\russian sperm licking hairy .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\lesbian uncut .avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\danish hardcore girls stockings .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_21122d7205c6f5b9\animal fucking [bangbus] hairy (Anniston).rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\indian bukkake nude lesbian (Curtney).mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\russian cum masturbation traffic .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\british lingerie big titts .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\sperm horse [free] sweet (Sonja).zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\japanese trambling several models wifey .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\black gang bang fetish public beautyfull .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\mssrv.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\tyrkish trambling girls legs .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\african horse kicking several models .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\malaysia horse full movie (Sarah).avi.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\italian beast hot (!) stockings .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\black bukkake nude public .rar.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\beast lesbian stockings .zip.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
File created	C:\Windows\assembly\tmp\animal nude big blondie .mpeg.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1432 3160 WerFault.exe f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

pid	pid_target	process	target process
1432	3160	WerFault.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

description	pid	process	target process
PID 3160 wrote to memory of 3584	3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 3160 wrote to memory of 3584	3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 3160 wrote to memory of 3584	3160	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 3584 wrote to memory of 4512	3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 3584 wrote to memory of 4512	3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 3584 wrote to memory of 4512	3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 3584 wrote to memory of 4344	3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 3584 wrote to memory of 4344	3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 3584 wrote to memory of 4344	3584	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 4512 wrote to memory of 4332	4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 4512 wrote to memory of 4332	4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
PID 4512 wrote to memory of 4332	4512	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe	f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe

C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
"C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
"C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3584

C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
"C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe"
3⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
"C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe"
4⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe
"C:\Users\Admin\AppData\Local\Temp\f461d21b1b802ad18251457fb3e7318d1ce08ce08e5382f927a97aa443f77bd9.exe"
3⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 1232
2⤵
- Program crash
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3160 -ip 3160
1⤵
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\japanese action fucking sleeping (Liz).rar.exe
Filesize
1.6MB

MD5
93596e6ccbb07ba0a41d6740a77a4e58

SHA1
499071cf8f5a55ba8d536665eccadc1d1792b827

SHA256
b34ae454e812678fa9b9d82118c730744f8459bfb327605d83b0817e14b37a02

SHA512
cf3ea039c9f36dbec9d585157fd218b5271f9360b0aad5dbb34cf29f95cb454c36d5dae48877f3b77508b6eb6bf38c5823f47bb521579fe0a9bcf516d807948a

Download Submit