Malware Analysis Report

2025-03-14 22:35

Sample ID 240406-1vmn8ach36
Target 6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e
SHA256 6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e

Threat Level: Known bad

The file 6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX dump on OEP (original entry point)

UPX packed file

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:58

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:58

Reported

2024-04-06 22:00

Platform

win7-20240215-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\cumshot public (Sarah,Sonja).zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\beastiality big (Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\danish cumshot [free] mistress .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\beastiality animal licking boots .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\System32\DriverStore\Temp\gang bang lesbian feet hairy (Anniston).mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\blowjob bukkake licking glans lady .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\IME\shared\russian cum [free] castration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\horse hardcore [milf] .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\IME\shared\american kicking licking ash .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\norwegian action animal several models .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Temp\porn licking pregnant (Sylvia,Britney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\horse masturbation cock fishy (Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files\Windows Journal\Templates\trambling blowjob lesbian (Kathrin).zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\french lesbian gay sleeping .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\cum cumshot voyeur balls .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\african kicking kicking public blondie .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\malaysia animal fetish uncut lady .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\african handjob [free] .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\cumshot big shower .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\danish bukkake [bangbus] boots .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files\DVD Maker\Shared\handjob sleeping hotel (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\swedish cum [milf] bedroom .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\german cum public (Gina).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\cum lesbian [milf] feet traffic .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\danish nude lesbian titts latex (Janette,Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\black gang bang beastiality public swallow .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\xxx hot (!) black hairunshaved (Melissa,Christine).rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\german lesbian kicking big castration (Sandy,Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\bukkake trambling big nipples (Sarah,Anniston).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\indian trambling licking girly (Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\norwegian bukkake gang bang masturbation swallow .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\malaysia beast girls boobs gorgeoushorny .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\german cum hidden ash sm (Christine,Gina).mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\african gang bang lingerie hot (!) boobs hotel .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\asian cum hidden boobs .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\african bukkake [free] mistress .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\italian action masturbation sm (Jade,Ashley).rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\norwegian beast trambling lesbian girly .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\german horse trambling girls sweet .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\bukkake several models boots (Anniston).rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\japanese kicking several models (Tatjana,Christine).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\american fetish several models .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\beast girls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\assembly\tmp\fetish lesbian [bangbus] upskirt (Ashley,Ashley).mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\norwegian handjob horse masturbation (Sandy).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\gang bang beastiality big ìï .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\malaysia animal handjob licking .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\american beastiality several models femdom (Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\italian handjob horse hot (!) upskirt (Karin,Ashley).zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\assembly\temp\animal bukkake hot (!) (Janette,Jenna).zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\italian porn fetish masturbation feet shower .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\gay girls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\italian cum handjob masturbation feet .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\animal porn hot (!) legs latex (Jade,Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\german fetish lingerie licking glans gorgeoushorny (Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\french trambling beast voyeur .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\beastiality big blondie .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\black sperm [free] hairy (Anniston).mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\cumshot hidden titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\fucking trambling voyeur boobs boots .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\danish cumshot fetish [milf] granny (Melissa,Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\canadian porn uncut castration .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\indian trambling lesbian full movie .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\british cumshot trambling catfight 40+ .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\lingerie girls legs young .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\spanish fetish licking lady (Liz,Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\japanese animal [free] feet black hairunshaved .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\trambling [bangbus] nipples swallow .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\bukkake hot (!) .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\spanish hardcore hidden feet .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\gang bang cumshot catfight .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\norwegian horse lesbian full movie 50+ .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\african horse fucking full movie (Curtney,Sarah).mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\chinese action gay [bangbus] castration .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\blowjob hot (!) swallow .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian beast fetish big cock wifey .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\african fetish girls 50+ .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\norwegian gang bang big ìï .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\fucking blowjob hot (!) hole black hairunshaved (Karin,Christine).mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\african sperm girls (Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\spanish gang bang licking balls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\brasilian blowjob [milf] (Melissa,Sandy).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\danish cumshot hot (!) legs leather .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\indian cum several models (Melissa,Ashley).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\black animal hidden .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\tyrkish horse fucking girls .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\danish gay licking pregnant .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\russian beastiality licking ash .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\swedish trambling sperm voyeur glans .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 2944 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 2944 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 2944 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 2604 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 2604 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 2604 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 2604 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 2944 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 2944 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 2944 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 2944 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe

"C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe"

C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe

"C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe"

C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe

"C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe"

C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe

"C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 91.75.207.168.in-addr.arpa udp
US 8.8.8.8:53 87.153.209.222.in-addr.arpa udp
US 8.8.8.8:53 208.24.139.161.in-addr.arpa udp
US 8.8.8.8:53 100.89.82.19.in-addr.arpa udp
US 8.8.8.8:53 239.51.92.26.in-addr.arpa udp
US 8.8.8.8:53 107.156.119.253.in-addr.arpa udp
US 8.8.8.8:53 149.171.13.156.in-addr.arpa udp
US 8.8.8.8:53 17.117.41.211.in-addr.arpa udp
US 8.8.8.8:53 7.48.186.37.in-addr.arpa udp
US 8.8.8.8:53 23.213.40.214.in-addr.arpa udp
US 8.8.8.8:53 222.120.158.181.in-addr.arpa udp
US 8.8.8.8:53 110.6.177.12.in-addr.arpa udp
US 8.8.8.8:53 34.8.97.148.in-addr.arpa udp
US 8.8.8.8:53 232.4.113.80.in-addr.arpa udp
US 8.8.8.8:53 5.49.166.15.in-addr.arpa udp
US 8.8.8.8:53 223.63.15.249.in-addr.arpa udp
US 8.8.8.8:53 6.63.166.160.in-addr.arpa udp
US 8.8.8.8:53 39.115.189.33.in-addr.arpa udp
US 8.8.8.8:53 34.209.250.225.in-addr.arpa udp
US 8.8.8.8:53 20.103.159.178.in-addr.arpa udp
US 8.8.8.8:53 109.201.67.27.in-addr.arpa udp
US 8.8.8.8:53 175.212.214.178.in-addr.arpa udp
US 8.8.8.8:53 56.38.16.151.in-addr.arpa udp
US 8.8.8.8:53 141.124.120.58.in-addr.arpa udp
US 8.8.8.8:53 24.122.43.21.in-addr.arpa udp
US 8.8.8.8:53 211.182.21.169.in-addr.arpa udp
US 8.8.8.8:53 237.117.113.54.in-addr.arpa udp
US 8.8.8.8:53 213.104.41.70.in-addr.arpa udp

Files

memory/2944-0-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\cum cumshot voyeur balls .mpg.exe

MD5 babe407d904bf047358bdde9a23b1c4d
SHA1 a1b5b4f20517dd33d26966b16aa07de2d0eed784
SHA256 c611832c46a0cbd64492eb4bdd7215e5230dbdeaf739f433b882e15d3fd0e9d2
SHA512 8ce45e2527567a361fe2b7c06457579d316c58174280aa384ef73299f35d44443a16a6c7c9e83e6bcd705facf7e27ca39f3246c4a39dd4726746809326c042f8

memory/2944-64-0x0000000004F70000-0x0000000004F8E000-memory.dmp

memory/2604-65-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2604-90-0x00000000045C0000-0x00000000045DE000-memory.dmp

memory/2944-91-0x0000000004F80000-0x0000000004F9E000-memory.dmp

memory/2664-93-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2852-92-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2944-109-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2944-111-0x0000000004F70000-0x0000000004F8E000-memory.dmp

memory/2604-114-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2604-115-0x00000000045C0000-0x00000000045DE000-memory.dmp

memory/2944-116-0x0000000004F80000-0x0000000004F9E000-memory.dmp

memory/2852-117-0x0000000000400000-0x000000000041E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:58

Reported

2024-04-06 22:00

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\tyrkish xxx [free] ash (Gina).mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\chinese cum full movie feet swallow .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\british xxx [milf] femdom (Sylvia,Gina).mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\french xxx [bangbus] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\italian handjob blowjob public ash (Anniston).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black gang bang hot (!) .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\italian xxx cumshot full movie hairy .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\german horse sleeping glans .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\trambling gang bang full movie mistress .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\System32\DriverStore\Temp\tyrkish beast bukkake hidden leather .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\spanish fetish trambling catfight hotel .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\malaysia beast blowjob hidden femdom .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\brasilian hardcore lesbian cock (Jenna,Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\german action fucking hot (!) hole .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\american porn lesbian full movie legs .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\malaysia handjob gay voyeur young .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files\dotnet\shared\italian gang bang [bangbus] .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\cumshot xxx sleeping (Christine,Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\fucking full movie mistress (Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\french blowjob cumshot voyeur penetration (Melissa,Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Google\Temp\norwegian animal full movie .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files\Common Files\microsoft shared\american hardcore [milf] gorgeoushorny .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\action hot (!) redhair .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\cum [free] legs black hairunshaved .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\handjob masturbation penetration (Sylvia,Jenna).mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\fetish hidden .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\tyrkish trambling [milf] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\hardcore [milf] beautyfull (Christine,Tatjana).mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\asian handjob uncut balls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\trambling uncut shoes .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\asian gay voyeur (Gina).mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\american kicking voyeur femdom .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\danish cum public black hairunshaved (Britney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\british horse lingerie catfight vagina latex (Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\italian sperm catfight cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\malaysia horse public ash shoes (Christine).zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\german horse [milf] YEâPSè& (Gina).mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\russian porn catfight mature (Anniston,Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\german blowjob several models .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\japanese nude trambling girls ash shoes (Sonja).zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\tyrkish hardcore catfight hole lady .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\black nude full movie upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\lesbian [bangbus] upskirt .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\japanese beast nude hidden .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\hardcore trambling [bangbus] granny .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\fucking hardcore big .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\horse beastiality girls (Kathrin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\russian handjob hardcore hidden (Sandy,Kathrin).mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\brasilian beastiality sleeping leather .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\trambling licking upskirt .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\gay girls ash .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\american cum hidden .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\fetish fetish masturbation vagina .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\british hardcore handjob girls feet sweet .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\handjob [free] granny .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_b201c2e68d8dbc0d\black cumshot girls .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\trambling full movie fishy .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\german beastiality several models fishy (Jenna).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_en-us_8dd6053a0a5910eb\black nude public bondage (Sonja).mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\danish porn [free] (Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\indian sperm porn catfight .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca03036af4a5017e\african porn hidden .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\CbsTemp\indian nude [bangbus] mature (Sandy,Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\black bukkake [milf] 50+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\black trambling blowjob lesbian ash .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\blowjob hot (!) ash hairy (Ashley).mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\french horse handjob [milf] (Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\InputMethod\SHARED\chinese blowjob porn sleeping redhair .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\canadian xxx nude several models .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\indian horse bukkake uncut nipples sweet .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\malaysia hardcore voyeur feet YEâPSè& .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\cumshot catfight girly .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\cumshot horse several models (Tatjana,Sonja).mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\beastiality nude voyeur pregnant .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\canadian blowjob public hole penetration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\malaysia lingerie catfight cock shoes (Sarah).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\lesbian porn hot (!) mistress .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\sperm [milf] glans .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\italian beast [bangbus] upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\spanish horse animal several models .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\action cumshot [milf] sm .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\danish blowjob gay full movie .avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\asian horse masturbation hairy (Jenna).mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\fucking [free] (Sandy).zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\nude sleeping .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\malaysia trambling uncut YEâPSè& .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\german sperm licking titts black hairunshaved .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\chinese gay girls pregnant .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\porn kicking hot (!) legs .rar.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\action lingerie public glans bondage .zip.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\russian gang bang blowjob uncut .mpeg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\spanish cumshot [free] young .mpg.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\beast catfight latex (Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3652 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 3652 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 3652 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 464 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 464 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe
PID 464 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe

"C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe"

C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe

"C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe"

C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe

"C:\Users\Admin\AppData\Local\Temp\6ac1031e813cd777546285fcc6bc23388c37490b90765910d601e632c9721c6e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 220.228.231.197.in-addr.arpa udp
US 8.8.8.8:53 247.102.15.201.in-addr.arpa udp
US 8.8.8.8:53 15.136.129.174.in-addr.arpa udp
US 8.8.8.8:53 140.115.171.99.in-addr.arpa udp
US 8.8.8.8:53 177.150.112.199.in-addr.arpa udp
US 8.8.8.8:53 17.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 141.127.171.200.in-addr.arpa udp
US 8.8.8.8:53 213.60.132.29.in-addr.arpa udp
US 8.8.8.8:53 65.219.44.216.in-addr.arpa udp
US 8.8.8.8:53 139.7.133.76.in-addr.arpa udp
US 8.8.8.8:53 113.100.143.34.in-addr.arpa udp
US 8.8.8.8:53 145.15.249.52.in-addr.arpa udp
US 8.8.8.8:53 143.103.213.211.in-addr.arpa udp
US 8.8.8.8:53 48.98.85.204.in-addr.arpa udp
US 8.8.8.8:53 5.105.104.242.in-addr.arpa udp
US 8.8.8.8:53 176.37.2.171.in-addr.arpa udp
US 8.8.8.8:53 120.233.206.107.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 211.156.42.50.in-addr.arpa udp
US 8.8.8.8:53 199.138.229.26.in-addr.arpa udp
US 8.8.8.8:53 110.150.160.172.in-addr.arpa udp
US 8.8.8.8:53 174.122.2.249.in-addr.arpa udp
US 8.8.8.8:53 132.75.48.95.in-addr.arpa udp
US 8.8.8.8:53 112.164.136.69.in-addr.arpa udp
US 8.8.8.8:53 208.197.44.252.in-addr.arpa udp
US 8.8.8.8:53 213.87.206.226.in-addr.arpa udp
US 8.8.8.8:53 214.104.88.54.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 226.177.30.34.in-addr.arpa udp
US 8.8.8.8:53 137.225.96.99.in-addr.arpa udp
US 8.8.8.8:53 95.37.225.236.in-addr.arpa udp
US 8.8.8.8:53 133.145.237.169.in-addr.arpa udp
US 8.8.8.8:53 235.21.229.189.in-addr.arpa udp
US 8.8.8.8:53 51.37.226.178.in-addr.arpa udp
US 8.8.8.8:53 27.77.93.198.in-addr.arpa udp
US 8.8.8.8:53 169.83.30.48.in-addr.arpa udp
US 8.8.8.8:53 124.65.192.31.in-addr.arpa udp
US 8.8.8.8:53 182.210.189.103.in-addr.arpa udp
US 8.8.8.8:53 80.163.87.21.in-addr.arpa udp
US 8.8.8.8:53 136.173.210.123.in-addr.arpa udp
US 8.8.8.8:53 133.146.171.27.in-addr.arpa udp
US 8.8.8.8:53 150.229.95.31.in-addr.arpa udp
US 8.8.8.8:53 138.4.64.221.in-addr.arpa udp
US 8.8.8.8:53 194.101.48.134.in-addr.arpa udp
US 8.8.8.8:53 84.186.154.212.in-addr.arpa udp
US 8.8.8.8:53 246.57.160.97.in-addr.arpa udp
US 8.8.8.8:53 210.110.139.42.in-addr.arpa udp
US 8.8.8.8:53 81.165.194.94.in-addr.arpa udp
US 8.8.8.8:53 59.27.123.148.in-addr.arpa udp
US 8.8.8.8:53 3.92.253.182.in-addr.arpa udp
US 8.8.8.8:53 148.195.16.182.in-addr.arpa udp
US 8.8.8.8:53 62.200.204.138.in-addr.arpa udp
US 8.8.8.8:53 87.169.75.190.in-addr.arpa udp
US 8.8.8.8:53 231.132.157.241.in-addr.arpa udp
US 8.8.8.8:53 53.110.132.99.in-addr.arpa udp
US 8.8.8.8:53 99.190.242.123.in-addr.arpa udp
US 8.8.8.8:53 232.161.122.211.in-addr.arpa udp
US 8.8.8.8:53 252.81.48.215.in-addr.arpa udp
US 8.8.8.8:53 231.144.151.182.in-addr.arpa udp
US 8.8.8.8:53 5.18.72.6.in-addr.arpa udp
US 8.8.8.8:53 104.22.13.216.in-addr.arpa udp
US 8.8.8.8:53 79.181.52.67.in-addr.arpa udp
US 8.8.8.8:53 9.34.77.175.in-addr.arpa udp
US 8.8.8.8:53 191.17.136.38.in-addr.arpa udp
US 8.8.8.8:53 14.197.217.41.in-addr.arpa udp
US 8.8.8.8:53 84.31.185.189.in-addr.arpa udp

Files

memory/3652-0-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\action hot (!) redhair .mpg.exe

MD5 eed2debb7d8df82addd37cfc1590ceca
SHA1 2eff46a0c22b18b7135f98872579b0b12fb73454
SHA256 47afd98c617faa5457eb6d56f61f7dc1bb1ade5ce07bf98a03ff96f0add6645c
SHA512 9e54b5461580e39b1a32d4d20dce775ce87d235e28071cb572e7346762fd5129703063f20ccbbdb661a72d16dceacf1ab0abeeab478501f703d5a3bf7d64649c

memory/464-12-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2696-146-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3652-187-0x0000000000400000-0x000000000041E000-memory.dmp

memory/464-191-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2696-192-0x0000000000400000-0x000000000041E000-memory.dmp