f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
Size

472KB
MD5

871aa03212202d8ab54e4d1d0ccfb11f
SHA1

6b5d09fa952b2bcebc1924ff1a445a12ff271a8f
SHA256

f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6
SHA512

55185bba2a50414818331afd316c73d3a64eec2702fd390d1b9eae4070db0dec6e1d47501748da1cc30b993e1d9aa16196ea04bf7c87ac4015605de0486eb3f1
SSDEEP

12288:OWji9BR9Srhx4A+Dx9JMFO+B3E/tmxqRXQQKk0Dzw:CC4ApB3E/0xAXfK9w

Score

9^/10

persistence spyware stealer

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 1 IoCs

Processes:

resource yara_rule

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\horse horse lesbian swallow (Curtney).mpeg.exe INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

resource	yara_rule
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\horse horse lesbian swallow (Curtney).mpeg.exe	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exef3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

description	ioc	process
File opened (read-only)	\??\Z:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\E:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\J:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\Q:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\S:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\X:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\G:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\K:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\O:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\Y:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\P:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\R:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\T:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\A:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\B:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\H:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\L:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\M:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\V:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\W:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\I:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\N:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File opened (read-only)	\??\U:	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

Drops file in System32 directory 12 IoCs

Processes:

f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

description	ioc	process
File created	C:\Windows\SysWOW64\IME\SHARED\horse catfight (Janette).avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\SysWOW64\config\systemprofile\cumshot kicking hot (!) black hairunshaved .avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black kicking action licking boobs leather .rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\SysWOW64\FxsTmp\russian beastiality porn hidden lady (Sarah,Kathrin).mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\nude catfight gorgeoushorny .mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\trambling catfight .rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\malaysia xxx beast [milf] (Tatjana,Gina).rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\american porn animal lesbian glans tß .avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\trambling horse lesbian YEâPSè& .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\System32\DriverStore\Temp\horse animal uncut boobs .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\SysWOW64\FxsTmp\sperm catfight .rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\SysWOW64\IME\SHARED\japanese horse action [milf] .mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

Drops file in Program Files directory 18 IoCs

Processes:

f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\cumshot full movie .zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\swedish gang bang voyeur circumcision .zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\fucking [bangbus] castration .rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\gang bang kicking sleeping feet gorgeoushorny .zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files (x86)\Google\Temp\fucking beast several models .avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files\dotnet\shared\beastiality xxx [milf] (Sonja,Britney).mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\french hardcore uncut latex .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\bukkake uncut mistress .avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files (x86)\Google\Update\Download\hardcore trambling hot (!) (Sonja,Jade).mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files\Microsoft Office\root\Templates\tyrkish beast xxx voyeur (Sarah,Sarah).mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\horse horse lesbian swallow (Curtney).mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\gay full movie .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\american fucking several models nipples black hairunshaved .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\danish horse lesbian [free] .mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\german gang bang cumshot licking fishy .zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files (x86)\Microsoft\Temp\british lesbian [milf] hole sweet (Kathrin,Tatjana).avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files\Common Files\microsoft shared\blowjob sperm [bangbus] hole .rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\spanish lingerie uncut hole femdom .zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

Drops file in Windows directory 64 IoCs

Processes:

f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

description	ioc	process
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\chinese horse uncut legs boots .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\swedish beastiality girls legs .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\black horse action catfight (Jenna).rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\horse cum catfight granny .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\porn hidden .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\lingerie porn voyeur legs young .mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\lesbian [free] (Sandy).rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\PLA\Templates\beastiality several models vagina black hairunshaved .zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\american hardcore lingerie voyeur vagina boots (Gina,Curtney).avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\canadian fucking [milf] titts pregnant (Gina).mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\animal kicking girls castration (Sandy).rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\porn full movie (Sonja).zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\lingerie gay big glans .avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\tyrkish horse big .zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\cumshot lesbian licking nipples .mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\indian kicking sleeping redhair .avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\asian porn xxx full movie feet .zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\british sperm voyeur nipples fishy .rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\malaysia nude [bangbus] ash (Melissa).mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\canadian hardcore bukkake sleeping leather .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\Downloaded Program Files\canadian lesbian girls pregnant (Sylvia).mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\african kicking horse public 50+ .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\beastiality bukkake voyeur .mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\bukkake uncut cock (Melissa,Britney).mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\blowjob horse full movie (Ashley,Karin).mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\gang bang lesbian hot (!) swallow .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\xxx animal uncut granny (Jenna,Curtney).rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\chinese beastiality cumshot lesbian (Sonja).avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\beastiality lesbian fishy .mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\danish xxx public granny (Britney,Tatjana).avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\animal horse sleeping ejaculation .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\italian gay hardcore public circumcision .avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\cum beastiality masturbation (Jade,Melissa).mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\beastiality [free] circumcision .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\sperm girls titts leather .mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\german nude sleeping traffic (Sonja,Sarah).mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\InputMethod\SHARED\xxx [bangbus] .zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\SoftwareDistribution\Download\swedish beast xxx [bangbus] young .rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\animal uncut fishy .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\horse uncut .rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\cum fetish [free] feet ejaculation .mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_21122d7205c6f5b9\horse hot (!) hairy .zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\nude lesbian uncut .zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\gay porn uncut cock gorgeoushorny (Sarah).rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\black trambling hidden hole (Janette,Sonja).zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\black lesbian full movie blondie .zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\spanish cumshot fucking big YEâPSè& (Christine).rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\danish xxx hidden fishy .avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\hardcore beast lesbian .mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\porn cumshot [bangbus] glans (Sonja,Jenna).rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\british cumshot big bedroom .mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\black blowjob cumshot [free] upskirt (Sandy).avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\american animal public pregnant .zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\action licking .avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\canadian gang bang hidden glans bondage .rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\beast handjob public (Sylvia).mpg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\beast handjob sleeping .rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\xxx horse hidden .avi.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\canadian trambling gay public titts .zip.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\kicking fucking [free] vagina Ôï .rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\spanish horse [bangbus] shower .mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\beast kicking [milf] ash young .rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\beastiality animal voyeur bedroom .mpeg.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\indian xxx [milf] legs .rar.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3376 1360 WerFault.exe f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

pid	pid_target	process	target process
3376	1360	WerFault.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exef3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exef3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exef3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

pid	process
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
2984	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exef3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

description	pid	process	target process
PID 1360 wrote to memory of 4456	1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
PID 1360 wrote to memory of 4456	1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
PID 1360 wrote to memory of 4456	1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
PID 1360 wrote to memory of 2984	1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
PID 1360 wrote to memory of 2984	1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
PID 1360 wrote to memory of 2984	1360	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
PID 4456 wrote to memory of 4984	4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
PID 4456 wrote to memory of 4984	4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
PID 4456 wrote to memory of 4984	4456	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe	f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe

C:\Users\Admin\AppData\Local\Temp\f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
"C:\Users\Admin\AppData\Local\Temp\f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360

C:\Users\Admin\AppData\Local\Temp\f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
"C:\Users\Admin\AppData\Local\Temp\f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
"C:\Users\Admin\AppData\Local\Temp\f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4984

C:\Users\Admin\AppData\Local\Temp\f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe
"C:\Users\Admin\AppData\Local\Temp\f3ea0bc2c9e3768661f3b21b8c82d2e61fc487de814ea879d9e4784c4255a7b6.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1360 -s 1972
2⤵
- Program crash
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1360 -ip 1360
1⤵
PID:4884

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\horse horse lesbian swallow (Curtney).mpeg.exe
Filesize
1.7MB

MD5
fd90accf47579c1b3f16f9e33119df31

SHA1
a499c8fd86c9d496e79107fb31c0c6f0f72cea2e

SHA256
21baafc2e8664a50cfa34df232ef95abd3d4922ee5831b969a88341f87584f17

SHA512
f504bcc0832cbcfaaaac53d6a4979a439d39ad23eda92739fa60eafbf4ca5f80ddd5fbd72bb8ff8913f57a92ea4e66acc04ef4435417de27e7639bc91921d45b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads