Malware Analysis Report

2025-08-05 10:00

Sample ID 240403-xqbvdahg91
Target 1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827
SHA256 1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827

Threat Level: Known bad

The file 1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827 was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX dump on OEP (original entry point)

UPX packed file

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 19:03

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 19:03

Reported

2024-04-03 19:05

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\FxsTmp\french nude voyeur glans (Tatjana,Jenna).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\american sperm trambling public fishy (Janette).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\american gay sperm several models 50+ (Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\gay hardcore masturbation feet .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\brasilian fucking [bangbus] hairy (Jade,Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\System32\DriverStore\Temp\american handjob [bangbus] feet .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\swedish beast several models .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\IME\shared\indian lingerie sleeping penetration .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\horse sleeping (Tatjana,Christine).avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\IME\shared\american fetish trambling uncut .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Update\Download\swedish blowjob trambling public .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\spanish gang bang sleeping glans young (Jade,Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\italian gay lesbian cock (Ashley).zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\fucking hidden YEâPSè& .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\handjob sperm licking boobs sm .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\norwegian cumshot beastiality [bangbus] hole .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\nude nude [free] wifey .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\blowjob lesbian (Kathrin,Sonja).zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\porn voyeur .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\gay action hot (!) titts high heels .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files\DVD Maker\Shared\russian lesbian hidden redhair .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files\Windows Journal\Templates\cumshot [free] young .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Google\Temp\chinese beast [bangbus] blondie (Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\lesbian sperm several models boobs lady .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\action catfight titts leather .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\cumshot blowjob hot (!) (Sonja).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\action horse [free] nipples mistress .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\danish xxx public latex (Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\horse lesbian [milf] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\tyrkish lingerie masturbation fishy .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\horse blowjob licking .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\malaysia porn xxx full movie granny .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\norwegian gay porn licking .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\british xxx xxx girls .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\italian gay public .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\InstallTemp\animal fetish uncut shoes (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\norwegian beastiality cum big upskirt .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\chinese nude nude hidden shower .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\canadian handjob voyeur blondie .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\trambling lesbian .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\african bukkake catfight legs latex .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\malaysia gay horse voyeur (Sandy).mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\cumshot hidden feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\norwegian horse bukkake big boobs .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\asian blowjob gang bang public feet (Jenna,Sarah).avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\gang bang horse licking hairy .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\german fucking hidden boobs mature .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\blowjob cum full movie legs swallow .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\swedish hardcore beastiality big (Sonja,Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\cumshot cum catfight castration (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\porn hot (!) ash girly (Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\assembly\tmp\bukkake action [free] boots (Gina,Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\asian xxx licking femdom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\american horse bukkake full movie boots (Janette,Christine).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\Downloaded Program Files\chinese fetish fetish lesbian high heels .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\fetish fucking hidden .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\italian trambling horse hidden .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\black nude hardcore full movie ìï .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\french nude girls glans (Tatjana,Janette).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\swedish bukkake handjob [bangbus] latex .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\indian fucking full movie .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\black horse porn catfight ash .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\chinese nude hot (!) feet (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\blowjob lesbian full movie stockings .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\sperm lesbian masturbation titts mistress .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\italian porn hidden 40+ (Christine,Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\porn hidden hole .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\canadian cum girls .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\british handjob sperm several models black hairunshaved .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\chinese lingerie girls sweet (Sandy).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\indian gay horse sleeping hotel (Christine,Britney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\trambling big redhair (Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\african trambling gang bang masturbation young .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\spanish kicking full movie high heels .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\french porn lesbian several models sm .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\russian gay lesbian .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\indian beastiality voyeur latex .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\Temp\danish cumshot xxx masturbation .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\fucking handjob public ash (Janette,Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\cum handjob hidden (Gina).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\handjob sperm sleeping glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\canadian lesbian xxx [free] leather (Christine,Britney).zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\chinese cumshot nude catfight feet high heels (Anniston).avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\danish bukkake action licking lady (Tatjana,Sandy).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\asian xxx hardcore [free] .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\italian gay big (Anniston).avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\PLA\Templates\asian gay fucking [free] wifey .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\swedish fetish voyeur .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\french lingerie public mature .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 2172 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 2172 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 2172 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 2424 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 2424 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 2424 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 2424 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe

"C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe"

C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe

"C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe"

C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe

"C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 139.17.11.22.in-addr.arpa udp
US 8.8.8.8:53 100.220.136.48.in-addr.arpa udp
US 8.8.8.8:53 241.142.71.234.in-addr.arpa udp
US 8.8.8.8:53 207.106.70.243.in-addr.arpa udp
US 8.8.8.8:53 219.144.50.162.in-addr.arpa udp
US 8.8.8.8:53 216.250.36.131.in-addr.arpa udp
US 8.8.8.8:53 87.170.178.52.in-addr.arpa udp
US 8.8.8.8:53 44.214.221.109.in-addr.arpa udp
US 8.8.8.8:53 67.15.222.227.in-addr.arpa udp
US 8.8.8.8:53 186.74.187.180.in-addr.arpa udp
US 8.8.8.8:53 21.74.147.89.in-addr.arpa udp
US 8.8.8.8:53 124.169.195.128.in-addr.arpa udp
US 8.8.8.8:53 142.65.74.82.in-addr.arpa udp
US 8.8.8.8:53 64.161.200.4.in-addr.arpa udp
US 8.8.8.8:53 58.140.106.209.in-addr.arpa udp
US 8.8.8.8:53 172.15.89.112.in-addr.arpa udp
US 8.8.8.8:53 82.201.79.137.in-addr.arpa udp
US 8.8.8.8:53 60.107.217.184.in-addr.arpa udp
US 8.8.8.8:53 44.25.151.182.in-addr.arpa udp
US 8.8.8.8:53 191.17.245.220.in-addr.arpa udp
US 8.8.8.8:53 54.224.69.1.in-addr.arpa udp
US 8.8.8.8:53 100.3.118.194.in-addr.arpa udp
US 8.8.8.8:53 95.90.63.122.in-addr.arpa udp
US 8.8.8.8:53 246.10.47.143.in-addr.arpa udp
US 8.8.8.8:53 238.252.114.161.in-addr.arpa udp
US 8.8.8.8:53 168.22.219.237.in-addr.arpa udp
US 8.8.8.8:53 161.120.14.154.in-addr.arpa udp

Files

memory/2172-0-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\handjob sperm licking boobs sm .rar.exe

MD5 963863834d0fb83e671181dfb80d250d
SHA1 5d4221460ca46d59dbe40e50b8c50ec47ba6aa30
SHA256 995ab23422422aed7fa1ca07ac61938a3fd5a771e43316a986d894bfbeebbb24
SHA512 8129303d68407fcc33592ffa27ecd4c801fec6d1f8fda5e41b8163d20a5fcb1deedad1722863b096d0b2714d6b044804ce863f353773071c0669286241368a32

memory/2172-53-0x0000000001F20000-0x0000000001F3D000-memory.dmp

memory/2424-54-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2712-84-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-91-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-104-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-105-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-107-0x0000000001F20000-0x0000000001F3D000-memory.dmp

memory/2172-109-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-112-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-115-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-120-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-123-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-126-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-129-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-132-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-135-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-138-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-141-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2172-144-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 19:03

Reported

2024-04-03 19:05

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\sperm gang bang girls hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\british cum full movie 40+ (Tatjana,Anniston).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\japanese trambling hardcore masturbation sweet .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish trambling lesbian castration (Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\asian cum lingerie licking traffic (Christine,Sonja).zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\canadian lesbian beast several models feet leather .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\kicking xxx lesbian vagina leather (Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\asian handjob masturbation titts .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\canadian action lingerie hot (!) blondie .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\xxx gang bang several models feet bondage (Melissa,Anniston).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lingerie lesbian ash penetration .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\brasilian lingerie voyeur .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\asian cumshot girls ash .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\swedish bukkake cumshot [free] bondage .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Google\Temp\american fucking blowjob [bangbus] balls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{1FAC69E2-6A78-4418-8957-20DE7094BB95}\EDGEMITMP_86547.tmp\animal hardcore catfight bondage .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\action action public fishy .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files\dotnet\shared\malaysia lesbian blowjob several models hole .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\german beast action several models pregnant (Ashley,Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\action sperm [free] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\japanese horse catfight titts (Sandy).avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files\Common Files\microsoft shared\sperm girls redhair .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\swedish trambling voyeur ash .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\italian lesbian licking wifey .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\swedish lingerie masturbation swallow .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\russian horse public .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\fetish licking .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\african animal cum [milf] 40+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\nude nude catfight .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\spanish lingerie kicking masturbation (Sandy,Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\chinese lingerie kicking masturbation boobs mistress (Sandy,Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\action public titts circumcision (Gina,Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\horse big mature (Sonja,Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\cumshot [milf] legs ΋ .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\fetish beastiality licking vagina (Samantha,Christine).avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\american kicking horse public vagina shower .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\lesbian [bangbus] .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\chinese porn masturbation ash (Anniston).rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\handjob nude hot (!) .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\trambling [milf] hole femdom (Kathrin).mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\canadian action [bangbus] ash 50+ .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\action cumshot licking legs .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\malaysia hardcore [milf] (Anniston,Britney).rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\norwegian fetish fetish sleeping (Britney,Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\horse hidden penetration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\french gay several models gorgeoushorny .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\italian action licking ejaculation (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\InstallTemp\horse sleeping pregnant .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\american blowjob [milf] titts 50+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\horse lesbian blondie (Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\animal [bangbus] black hairunshaved .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\canadian nude handjob hot (!) leather .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\lingerie porn voyeur .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\fucking big (Jade,Kathrin).avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\french lingerie lesbian redhair .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\handjob [bangbus] cock gorgeoushorny .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\brasilian porn full movie titts .rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\chinese blowjob full movie stockings .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\cum masturbation .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\spanish animal full movie .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\japanese xxx kicking several models sweet (Curtney,Jenna).mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\russian beastiality porn hidden penetration .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\african gang bang beast licking .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\brasilian horse licking Ôï .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\nude gang bang masturbation pregnant (Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\porn porn [free] sweet .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\danish hardcore catfight hotel .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\black bukkake uncut .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\PLA\Templates\gang bang gang bang girls glans upskirt (Anniston,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\action uncut blondie (Ashley).zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\cumshot hot (!) boobs balls (Sandy).mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\bukkake masturbation ejaculation (Anniston,Jenna).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca03036af4a5017e\black sperm xxx sleeping ash granny .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\gang bang gang bang lesbian .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\assembly\temp\danish action action [milf] stockings .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\kicking hardcore several models traffic .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\sperm catfight .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\asian gay porn girls .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\lingerie several models boots (Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\beast handjob hot (!) redhair .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\italian fucking [bangbus] penetration .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\black nude cum licking penetration .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\sperm gay hot (!) .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\black beastiality porn voyeur bedroom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\tyrkish gang bang uncut shower (Anniston).avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\brasilian beast girls balls (Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\xxx hardcore licking .avi.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\asian animal sperm masturbation mistress .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\blowjob fucking girls sm .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\african porn fucking [free] bedroom .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\security\templates\fucking lesbian 50+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\canadian porn girls mistress .zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\spanish gay lesbian .mpg.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\sperm public lady (Ashley,Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4988 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 4988 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 4988 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 4988 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 4988 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 4988 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 1168 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 1168 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe
PID 1168 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe

"C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe"

C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe

"C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe"

C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe

"C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe"

C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe

"C:\Users\Admin\AppData\Local\Temp\1953df40a750dbc5e981264ef67f593084c01a699f5feefeb00c379b59908827.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3848 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 241.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 218.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 186.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 64.147.20.38.in-addr.arpa udp
US 8.8.8.8:53 140.196.65.218.in-addr.arpa udp
US 8.8.8.8:53 108.236.49.113.in-addr.arpa udp
US 8.8.8.8:53 142.112.154.197.in-addr.arpa udp
US 8.8.8.8:53 92.129.226.96.in-addr.arpa udp
US 8.8.8.8:53 8.123.200.94.in-addr.arpa udp
US 8.8.8.8:53 246.192.169.229.in-addr.arpa udp
US 8.8.8.8:53 105.237.99.95.in-addr.arpa udp
US 8.8.8.8:53 109.27.18.97.in-addr.arpa udp

Files

memory/4988-0-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\swedish trambling voyeur ash .avi.exe

MD5 16ff47dde7e82d6ff862c0f42b704cfd
SHA1 bd56b02c6b8d7b0e3e64aec44829b8aa38d0a517
SHA256 7f70e7162b7cb1427c8c14d0f19b6b829e5d4dcb810eea36e4dccac06c995528
SHA512 5c51e3e4ccc461f741a812cd35a3540cc926dfec5c495a450bb7cdfe0fb931f6629abcfd245b9f8114329635e18701d2d09bfea0ade9fc373443f2e0fa18cf75

memory/1168-11-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3088-35-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4988-121-0x0000000000400000-0x000000000041D000-memory.dmp

memory/1168-151-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3088-152-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3804-153-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4988-154-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4988-164-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4988-180-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4988-202-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4988-206-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4988-210-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4988-215-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4988-219-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4988-227-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4988-231-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4988-237-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4988-247-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4988-251-0x0000000000400000-0x000000000041D000-memory.dmp