e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
Size

96KB
MD5

4dd6ae13bc6cee183ba8010c48d092fb
SHA1

4a74a9dd05c7162cbc8891bfceeaa8a94a9430a2
SHA256

e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b
SHA512

a16b80ac4ad9870367cfabafcaf17e5f51855e154fd517afb98ba81d8d7bb4f0b78ed0ef77de37621716e9227d5324846627198a2a3dd08498a34bdc13f8cae3
SSDEEP

3072:bjbLl/gvQoutgbqKo4L1Tj4mYWR/R4nkPR/1ET/Dxxm:bjluQoSsqaxIo5R4nM/G/Djm

Score

9^/10

persistence spyware stealer upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/1672-0-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral2/files/0x00070000000233f7-5.dat	UPX
behavioral2/memory/1076-12-0x0000000000400000-0x0000000000429000-memory.dmp	UPX
behavioral2/memory/3876-143-0x0000000000400000-0x0000000000429000-memory.dmp	UPX

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1672-0-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/files/0x00070000000233f7-5.dat	upx
behavioral2/memory/1076-12-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3876-143-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\U:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\X:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\H:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\S:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\T:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\L:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\M:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\O:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\Q:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\R:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\A:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\E:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\G:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\V:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\Y:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\Z:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\K:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\P:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\W:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\B:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\I:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File opened (read-only)	\??\J:	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\gay girls cock .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\SysWOW64\IME\SHARED\russian cumshot trambling [milf] .rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\bukkake [free] .rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\swedish action blowjob public (Jade).mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black cumshot hardcore catfight .rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\black gang bang bukkake big balls .mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\SysWOW64\config\systemprofile\black fetish gay public bedroom .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\SysWOW64\FxsTmp\swedish handjob hardcore masturbation mature .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\SysWOW64\config\systemprofile\beast voyeur .mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\SysWOW64\FxsTmp\black porn sperm public .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\SysWOW64\IME\SHARED\trambling full movie shoes (Kathrin,Melissa).mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish beastiality lesbian girls glans high heels .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\beast voyeur lady .mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files\Microsoft Office\root\Templates\italian action gay sleeping (Samantha).mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\brasilian horse sperm full movie (Janette).mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files (x86)\Google\Temp\lesbian [milf] blondie .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files (x86)\Microsoft\Temp\black horse gay voyeur high heels .zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\trambling [free] bedroom .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\bukkake several models .mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files (x86)\Google\Update\Download\american nude lingerie hot (!) .rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian handjob horse licking glans .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\blowjob licking gorgeoushorny .rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files\Common Files\microsoft shared\russian gang bang bukkake masturbation young (Britney,Liz).zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\indian beastiality bukkake several models feet sweet .mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\xxx hot (!) mature .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\italian cumshot lesbian masturbation glans .mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\danish animal horse [milf] redhair .mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\chinese horse licking cock ejaculation (Samantha).avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\blowjob licking hotel .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\russian horse bukkake licking glans boots .zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\russian animal lingerie [free] cock .zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\indian action xxx masturbation 50+ .mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\french xxx catfight (Curtney).avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\canadian horse full movie .zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\fucking voyeur lady (Ashley,Jade).mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\british gay hot (!) (Jade).avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\blowjob [bangbus] young (Ashley,Samantha).rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\japanese porn gay public glans bondage .rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\tyrkish fetish hardcore hot (!) hotel .mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\french beast full movie hole .zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\horse [milf] cock 50+ .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\swedish cumshot blowjob girls glans (Christine,Melissa).rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\horse girls (Samantha).zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\canadian beast licking (Samantha).mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\indian nude lesbian licking glans .rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\sperm licking (Jade).rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\action trambling licking .zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_21122d7205c6f5b9\blowjob big (Melissa).zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\indian animal fucking [milf] redhair .mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\canadian lingerie [bangbus] feet .zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\french hardcore catfight femdom .rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\blowjob hidden shoes .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\PLA\Templates\trambling [free] feet latex .mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\canadian blowjob hidden glans 50+ (Tatjana).avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\spanish horse lesbian mature .mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\brasilian beastiality hardcore several models .mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\horse lesbian hidden bedroom .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\italian beastiality bukkake licking feet .rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\horse trambling sleeping .zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\fucking catfight glans .zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\gay hot (!) cock .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\chinese fucking several models titts shoes .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\assembly\temp\black nude lingerie hot (!) cock traffic .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\indian cumshot fucking big wifey .mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\animal trambling licking hole .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\canadian horse lesbian mistress .zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\british lingerie catfight titts balls .avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\swedish porn trambling [bangbus] .rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\hardcore public titts blondie (Jade).mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\italian kicking xxx masturbation shoes .mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\japanese horse bukkake hot (!) high heels .mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\norwegian beast sleeping .mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\cumshot gay big (Jade).mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\norwegian xxx public titts blondie .mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\gay public titts (Christine,Melissa).mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\lesbian [free] 40+ .rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\indian kicking lesbian sleeping cock mature (Karin).avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\asian xxx licking .mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\spanish beast girls (Jade).zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\InputMethod\SHARED\italian beastiality xxx catfight (Melissa).mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\cumshot lingerie uncut feet penetration .zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\french hardcore sleeping gorgeoushorny .mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\indian action fucking voyeur (Karin).rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\malaysia gay voyeur glans .mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\Temp\french blowjob uncut titts (Christine,Karin).avi.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\japanese fetish gay [milf] (Curtney).mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\russian porn bukkake hidden traffic .mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\bukkake [bangbus] (Tatjana).mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\blowjob catfight Ôï .rar.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\cumshot trambling masturbation hole sweet .mpeg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\security\templates\swedish cumshot lesbian uncut glans balls .zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\russian kicking blowjob licking hole .zip.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\cum trambling lesbian glans shower (Melissa).mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
File created	C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\beastiality lesbian public stockings .mpg.exe	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
3876	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1076	1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe	89
PID 1672 wrote to memory of 1076	1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe	89
PID 1672 wrote to memory of 1076	1672	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe	89
PID 1076 wrote to memory of 3876	1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe	93
PID 1076 wrote to memory of 3876	1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe	93
PID 1076 wrote to memory of 3876	1076	e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe	93

C:\Users\Admin\AppData\Local\Temp\e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
"C:\Users\Admin\AppData\Local\Temp\e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
  "C:\Users\Admin\AppData\Local\Temp\e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Users\Admin\AppData\Local\Temp\e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe
    "C:\Users\Admin\AppData\Local\Temp\e11bf1ea6496be8de1e8f51e51ae0dc4d2b07cc8e81b4927388d553f07cc287b.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian handjob horse licking glans .avi.exe

Filesize
1.9MB

MD5
6a98a8572984d1f8d2b19668f11384af

SHA1
ff1d657484258f53c5ef199b718dbd4e089fdb50

SHA256
40330855159711db195e0fe5c8f9a9bb725f07a7a590bc00affc8b17548c50d4

SHA512
3f2e79a815767d91dfe6b5975f4498c91680919a41f96ef54c572ccde01086b13ec6d638fcdace9aa626909cd782e36d50f734ea43806603bca39127f1c3d343

Download Submit
memory/1076-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1672-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3876-143-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download