e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
Size

1.4MB
MD5

a9077dd7a533d1e9b0e8a3ee64fe4275
SHA1

8847773ded6946551aec56e505c9b4bda66c28a5
SHA256

e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c
SHA512

384c7aee9458fd578fec1a72266299d744fa7dc55eeac10955d3437fe261282544b453b45562d4ff96085bddf7d0a93611f1de829553bf7be45499d887782b14
SSDEEP

24576:YoBWN/adk2iecrjYodz6GSs2qdB8GzEArRify8TZcOHcg+:XRd54d1n93IGzEArRG3TfHI

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

Detects executables containing possible sandbox analysis VM usernames 6 IoCs

resource	yara_rule
behavioral2/memory/5048-62-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2636-165-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/116-194-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/5048-197-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/2636-198-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames
behavioral2/memory/1036-200-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxUserNames

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral2/memory/116-0-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/files/0x000700000002342f-5.dat	UPX
behavioral2/memory/5048-62-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2636-165-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/1036-166-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/116-194-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/5048-197-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/2636-198-0x0000000000400000-0x000000000041E000-memory.dmp	UPX
behavioral2/memory/1036-200-0x0000000000400000-0x000000000041E000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/116-0-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/files/0x000700000002342f-5.dat	upx
behavioral2/memory/5048-62-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2636-165-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1036-166-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/116-194-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/5048-197-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/2636-198-0x0000000000400000-0x000000000041E000-memory.dmp	upx
behavioral2/memory/1036-200-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\I:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\L:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\M:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\N:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\O:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\Q:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\X:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\Y:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\Z:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\R:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\W:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\E:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\P:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\S:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\U:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\B:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\G:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\H:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\J:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\K:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\T:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File opened (read-only)	\??\V:	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\tyrkish kicking [milf] .zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\System32\DriverStore\Temp\horse catfight glans .avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\SysWOW64\IME\SHARED\tyrkish handjob big pregnant .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\norwegian cum licking ash mistress .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\SysWOW64\IME\SHARED\italian trambling hardcore girls lady .avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\french lingerie voyeur bedroom .zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\SysWOW64\FxsTmp\italian animal masturbation .avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\german lesbian horse girls glans .zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\spanish porn sperm lesbian boobs lady .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\SysWOW64\config\systemprofile\blowjob lesbian penetration (Sonja,Sandy).avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\SysWOW64\FxsTmp\cumshot sperm voyeur (Jenna).rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\fucking beastiality several models latex (Jenna,Sarah).avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\american fucking porn several models penetration .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\fetish public titts latex .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files (x86)\Microsoft\Temp\animal masturbation ash (Ashley).zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files\Microsoft Office\root\Templates\horse gay catfight (Melissa).zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\lingerie licking ash (Sonja).mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\french bukkake big black hairunshaved .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\american animal sperm sleeping ejaculation (Kathrin).avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\blowjob fetish full movie bondage .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\black beast sperm big fishy .mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files (x86)\Google\Temp\nude gang bang [bangbus] cock shower .mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files\Common Files\microsoft shared\swedish beastiality fucking lesbian sweet .mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files\dotnet\shared\fetish uncut glans (Kathrin,Britney).zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\german sperm kicking girls legs .zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\black cumshot masturbation .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\canadian blowjob sleeping granny .mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\french xxx blowjob sleeping high heels .mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\lingerie girls balls .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Program Files (x86)\Google\Update\Download\italian sperm full movie (Gina,Sarah).avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\porn voyeur shoes .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\lesbian animal sleeping glans 50+ (Sandy,Liz).avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\norwegian beast fetish full movie .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\asian cumshot cum several models nipples mistress (Tatjana).mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\italian porn licking .mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\swedish cum beastiality voyeur femdom .avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\danish trambling voyeur nipples (Ashley,Anniston).avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..mon-sharedresources_31bf3856ad364e35_10.0.19041.1_none_5417ea1f38dbb76b\blowjob horse sleeping granny .mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\italian nude lesbian beautyfull .avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\american gang bang girls boots .avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\black handjob hot (!) black hairunshaved .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\indian action kicking full movie cock hairy .avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\malaysia gang bang cum full movie glans stockings .avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\british beastiality porn catfight (Christine).mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\nude sleeping circumcision (Sonja,Britney).mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\brasilian horse uncut .mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\german beastiality [milf] ash hotel .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\Downloaded Program Files\blowjob full movie redhair .avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\chinese porn full movie legs blondie (Liz).rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\japanese lingerie nude hidden .zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\american lesbian lingerie girls boobs Ôï .avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\italian gay horse full movie (Sandy,Ashley).mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\norwegian sperm [milf] high heels (Sonja,Tatjana).mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\blowjob hidden 50+ .mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\action licking Ôï .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\french fucking lesbian ash .mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\blowjob gang bang several models balls .zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\swedish kicking [free] balls .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\american hardcore blowjob sleeping feet .mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\lingerie public beautyfull .mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\danish nude uncut .zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\horse kicking masturbation .zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\kicking action [milf] YEâPSè& .mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\french fetish big nipples shoes .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\fucking beast [free] cock upskirt .mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\japanese animal action girls girly (Liz).rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\horse voyeur .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\norwegian porn sleeping ejaculation .zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\swedish kicking handjob hidden wifey .zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\african trambling gang bang masturbation glans (Christine,Sarah).mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\gay sleeping penetration .avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\nude public ash bedroom (Anniston).mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\norwegian blowjob catfight hairy (Anniston,Jade).zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\brasilian lesbian [free] hairy (Jade,Janette).mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\japanese action girls castration (Tatjana,Britney).mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\asian hardcore public shower (Janette,Gina).mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\american horse xxx uncut .avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\blowjob big traffic .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\canadian xxx uncut fishy .avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\swedish action xxx big sm (Samantha).avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\american bukkake [bangbus] .zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\spanish trambling action hidden hole YEâPSè& (Sarah,Karin).zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\french fucking horse several models ash (Ashley).mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\danish porn girls ash (Jade,Sonja).rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\gay handjob hidden high heels (Sylvia).mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\danish hardcore hardcore voyeur traffic .mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\canadian hardcore animal public glans .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\hardcore voyeur swallow .zip.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\beast licking hotel .mpeg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\InstallTemp\malaysia hardcore girls .avi.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\black horse gay lesbian feet (Sylvia).mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\cum masturbation swallow .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\spanish nude horse masturbation balls .mpg.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\kicking hot (!) young .rar.exe	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
1036	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
1036	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
1036	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
1036	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
1036	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
1036	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
1036	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
1036	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
1036	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
1036	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
1036	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
1036	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
1036	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
1036	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
2636	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 5048	116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe	91
PID 116 wrote to memory of 5048	116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe	91
PID 116 wrote to memory of 5048	116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe	91
PID 5048 wrote to memory of 2636	5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe	94
PID 5048 wrote to memory of 2636	5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe	94
PID 5048 wrote to memory of 2636	5048	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe	94
PID 116 wrote to memory of 1036	116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe	95
PID 116 wrote to memory of 1036	116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe	95
PID 116 wrote to memory of 1036	116	e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe	95

C:\Users\Admin\AppData\Local\Temp\e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
"C:\Users\Admin\AppData\Local\Temp\e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Local\Temp\e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
  "C:\Users\Admin\AppData\Local\Temp\e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Users\Admin\AppData\Local\Temp\e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2636
- C:\Users\Admin\AppData\Local\Temp\e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe
  "C:\Users\Admin\AppData\Local\Temp\e8648e430aa470659655942a92cdee44d8f715455d6679e988f53f96a7b85f4c.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\german sperm kicking girls legs .zip.exe

Filesize
692KB

MD5
085f8449cca626a4ad7856a89086d236

SHA1
707b50fed2fb996c50cfc35867b26b8521bed5b8

SHA256
c57aee0b1edd190b8ddb2e2a55cd8e90eeac842d183f014ddf48a68b6c1596e7

SHA512
1e339bf4a35ed2613889ca0d0bb9c26bd7abedb699f63f5f2c446f87ba3ed2a9d1f5e003a8f87fc5a6faaa853764d59ff18af29e431a5b4ae667d7061489fd4a

Download Submit
memory/116-0-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/116-194-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1036-166-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1036-200-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-165-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2636-198-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5048-62-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/5048-197-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download