Malware Analysis Report

2024-11-15 06:11

Sample ID 240407-3dvdvahf5t
Target 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c
SHA256 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c

Threat Level: Known bad

The file 9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Reads user/profile data of web browsers

UPX packed file

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:24

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:24

Reported

2024-04-07 23:27

Platform

win7-20240221-en

Max time kernel

162s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\tyrkish handjob blowjob several models feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\asian blowjob [bangbus] 40+ .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\black gang bang lesbian big femdom .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\american horse sperm hot (!) .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\brasilian cum lesbian licking glans traffic (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian animal beast lesbian .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\System32\DriverStore\Temp\hardcore [free] .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\IME\shared\danish action lesbian several models hole balls (Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\sperm masturbation pregnant .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\IME\shared\black porn hardcore [bangbus] beautyfull .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\indian horse gay hot (!) (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\black porn gay girls balls .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\american porn gay full movie .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files\DVD Maker\Shared\russian nude lingerie catfight hole mistress .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\hardcore lesbian hole beautyfull (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\russian handjob gay catfight sm .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\beast hidden young .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\norwegian fucking [free] (Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\hardcore [milf] .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files\Windows Journal\Templates\tyrkish gang bang blowjob girls (Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Google\Temp\tyrkish gang bang xxx sleeping (Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\xxx licking cock hotel .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\hardcore masturbation YEâPSè& (Ashley,Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\trambling sleeping girly .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\fucking public lady .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian animal trambling [free] sm .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\blowjob big ejaculation .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\japanese gang bang lesbian masturbation glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\canadian blowjob lesbian .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\canadian hardcore full movie leather (Gina,Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\black beastiality horse [milf] shoes .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fucking hidden titts ejaculation (Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\fetish trambling sleeping hole bedroom (Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\fucking [bangbus] feet .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\xxx full movie latex .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\indian gang bang sperm licking cock ìï .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\danish nude xxx [free] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\hardcore licking .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\canadian lesbian catfight .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\fucking voyeur titts stockings (Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\blowjob voyeur hole castration (Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\animal horse sleeping upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\tyrkish gang bang lingerie uncut YEâPSè& .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\assembly\tmp\brasilian porn gay full movie glans .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\canadian horse lesbian feet (Britney,Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\american gang bang lingerie uncut cock leather .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\nude fucking catfight .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\gang bang sperm [milf] feet latex .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\horse blowjob sleeping hairy (Anniston,Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\animal bukkake licking feet (Sandy,Tatjana).mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\spanish sperm [free] .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\action lingerie [bangbus] (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\african horse [bangbus] .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\brasilian animal sperm sleeping .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\cum gay big fishy .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\danish beastiality blowjob voyeur high heels .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\danish beastiality lesbian public sm (Kathrin,Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\german trambling lesbian .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\swedish kicking beast lesbian young .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\gang bang fucking voyeur feet hotel .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\chinese trambling full movie (Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\PLA\Templates\bukkake catfight traffic .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\lingerie public mature .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\bukkake [free] glans swallow .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\black animal blowjob masturbation glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\tyrkish cumshot lesbian hidden feet bedroom .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\kicking gay several models feet bedroom .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\french blowjob full movie balls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\african bukkake sleeping cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\chinese horse sleeping (Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\blowjob girls .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\japanese porn trambling several models (Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\xxx [free] .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\swedish nude bukkake public .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\animal lesbian [bangbus] young .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\danish kicking blowjob masturbation cock upskirt .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\beastiality beast lesbian glans penetration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\nude beast public glans circumcision (Tatjana).mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\tyrkish horse gay hot (!) young .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\action horse hidden fishy .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\indian cumshot beast licking (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\spanish bukkake hidden .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\action beast [milf] 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\african trambling [bangbus] .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\beastiality lesbian full movie (Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\american kicking horse licking cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SoftwareDistribution\Download\black horse fucking [bangbus] feet .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\german xxx girls (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\spanish beast sleeping castration .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 3000 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 3000 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 3000 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 2608 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 2608 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 2608 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 2608 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe

"C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"

C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe

"C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"

C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe

"C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 181.219.9.61.in-addr.arpa udp
US 8.8.8.8:53 68.166.174.6.in-addr.arpa udp
US 8.8.8.8:53 205.130.198.39.in-addr.arpa udp
US 8.8.8.8:53 120.97.207.209.in-addr.arpa udp
US 8.8.8.8:53 13.135.13.11.in-addr.arpa udp
US 8.8.8.8:53 234.128.163.122.in-addr.arpa udp
US 8.8.8.8:53 62.33.97.55.in-addr.arpa udp
US 8.8.8.8:53 53.216.3.237.in-addr.arpa udp
US 8.8.8.8:53 234.4.231.12.in-addr.arpa udp
US 8.8.8.8:53 99.119.58.145.in-addr.arpa udp
US 8.8.8.8:53 143.225.90.174.in-addr.arpa udp
US 8.8.8.8:53 169.194.185.215.in-addr.arpa udp

Files

memory/3000-0-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\trambling sleeping girly .mpg.exe

MD5 ccfe1717230efe8e01f11ee39b17fb66
SHA1 795d285dccd08a8cd4c2e727eb78c2f92fbb3f98
SHA256 c0970ddc2f004924e2d8a2d16cfc076360630c9ec6583abb0911f2b5d76ae5ec
SHA512 b9b93753ce2b23885b46453a19f422280db930540a996a4c6cea6fd98f0fe1611b344cbd322db0af73b3005725440d72c0e0b6d47f7dd1f762392939e0796b55

memory/2608-12-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2608-59-0x0000000000820000-0x000000000083C000-memory.dmp

memory/2836-60-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3000-69-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3000-83-0x0000000004A40000-0x0000000004A5C000-memory.dmp

memory/2608-96-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2608-97-0x0000000000820000-0x000000000083C000-memory.dmp

C:\debug.txt

MD5 0d5358c24127a105580397dbc3b3b96e
SHA1 c26ca5615bb4c0e2ff5e31bee83a9641e0c505b5
SHA256 3dc6bc7eea117f50b889bb71832f2fdb58be6ce2d522e860ba10be209c3b14d9
SHA512 74318be32e4298edacb6e82b53c967ea66a03c7213a08a7189147dac7ae99ddb98876d0f3f4746065520b9fb8624d8601d83af9ec229bc99a9568e918e09982c

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:24

Reported

2024-04-07 23:27

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\sperm girls glans beautyfull (Karin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\sperm hot (!) lady .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\System32\DriverStore\Temp\american cum blowjob catfight glans stockings .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\fetish hardcore licking YEâPSè& .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\russian nude gay full movie (Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\brasilian cum trambling public .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\brasilian cum fucking [bangbus] feet leather .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\swedish animal blowjob uncut 50+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\black nude horse voyeur .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\indian action xxx licking cock .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\bukkake hot (!) (Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\trambling hidden .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\spanish lingerie hidden feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files\dotnet\shared\hardcore masturbation (Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\swedish handjob xxx uncut .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\russian animal bukkake voyeur sweet .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\gay sleeping femdom .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\german sperm masturbation .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\indian cum blowjob full movie (Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\danish handjob bukkake licking hole .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\danish nude gay hot (!) (Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\indian nude beast girls hole .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\brasilian kicking fucking big .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Google\Temp\brasilian action sperm hot (!) (Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\swedish nude xxx girls (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\trambling full movie titts girly .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\swedish handjob gay hidden (Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\gay girls glans circumcision (Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\italian nude beast catfight .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\lingerie big cock YEâPSè& .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{D3EA2F86-0081-495C-8439-1E64CA71F999}\EDGEMITMP_57EE5.tmp\trambling girls cock swallow .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\cumshot gay voyeur .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\african lingerie public circumcision .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\cum bukkake hot (!) .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_en-us_8dd6053a0a5910eb\xxx uncut circumcision .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\black cum lesbian [milf] (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.746_none_822bf1ada1526fa8\horse [free] black hairunshaved .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\horse horse licking .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\french trambling [milf] (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\horse trambling masturbation titts high heels (Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\french sperm several models feet hairy .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\cumshot sperm girls hole .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\british lesbian [bangbus] titts lady .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\italian action sperm [free] (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_b201c2e68d8dbc0d\asian bukkake licking (Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\malaysia lesbian catfight circumcision .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\malaysia gay catfight .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\porn horse masturbation cock .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\british hardcore uncut feet 40+ .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\danish cumshot bukkake catfight ejaculation .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\french blowjob girls circumcision .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\trambling [bangbus] .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\beast sleeping (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\asian lingerie lesbian feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\beast full movie ash .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\danish animal beast licking hole .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\animal sperm lesbian fishy .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\beast public circumcision (Sonja,Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\chinese horse full movie gorgeoushorny .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\bukkake masturbation titts swallow (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\horse public .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\PLA\Templates\blowjob full movie hole pregnant .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\chinese lingerie big black hairunshaved .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\malaysia hardcore public glans gorgeoushorny .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\italian cumshot gay public titts mistress .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\security\templates\indian action trambling hidden feet latex (Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\porn blowjob uncut cock YEâPSè& .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\action hardcore [free] (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\french beast [milf] hole .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\handjob xxx [bangbus] shower (Sonja,Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\beast several models penetration .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\beastiality sperm uncut feet .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\animal horse girls .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\french sperm lesbian .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\horse beast sleeping titts bondage .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\lesbian full movie feet hairy (Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\handjob beast licking (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\italian gang bang xxx [free] glans .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\xxx full movie cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\russian cum lesbian sleeping young .rar.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\chinese sperm [milf] feet (Sonja,Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\InputMethod\SHARED\swedish kicking beast big YEâPSè& .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\indian kicking fucking public hole black hairunshaved .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\malaysia lingerie several models bondage .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\british bukkake masturbation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\american beastiality lesbian big titts stockings .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\fucking hidden high heels .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\handjob lesbian [milf] (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\american cumshot lesbian hot (!) feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\asian xxx full movie (Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\swedish animal bukkake several models titts .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\xxx licking glans .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\chinese trambling lesbian cock shoes .avi.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\chinese blowjob big titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\action lingerie full movie YEâPSè& .zip.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2952 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 2952 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 2952 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 2952 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 2952 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 2952 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 1336 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 1336 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe
PID 1336 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe

"C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"

C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe

"C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"

C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe

"C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"

C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe

"C:\Users\Admin\AppData\Local\Temp\9137159160a9f84a6983dd05668cfc3100003d55301ad184b1313127b06a2c0c.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1012 --field-trial-handle=2228,i,8155065313278028490,17854605419281052753,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
NL 142.250.179.202:443 tcp
IE 94.245.104.56:443 tcp
GB 51.140.242.104:443 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
GB 51.140.244.186:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.12.38.122.in-addr.arpa udp
US 8.8.8.8:53 75.208.177.111.in-addr.arpa udp
US 8.8.8.8:53 11.79.106.88.in-addr.arpa udp
US 8.8.8.8:53 236.222.156.230.in-addr.arpa udp
US 8.8.8.8:53 166.182.25.233.in-addr.arpa udp
US 8.8.8.8:53 251.250.104.243.in-addr.arpa udp
US 8.8.8.8:53 181.153.223.45.in-addr.arpa udp
US 8.8.8.8:53 6.58.18.47.in-addr.arpa udp
US 8.8.8.8:53 52.144.154.72.in-addr.arpa udp
US 8.8.8.8:53 26.175.35.204.in-addr.arpa udp
US 8.8.8.8:53 91.79.172.155.in-addr.arpa udp
US 8.8.8.8:53 102.57.27.182.in-addr.arpa udp
US 8.8.8.8:53 4.249.26.247.in-addr.arpa udp
US 8.8.8.8:53 198.120.142.198.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 21.19.128.50.in-addr.arpa udp
US 8.8.8.8:53 104.219.77.92.in-addr.arpa udp
US 8.8.8.8:53 91.165.247.201.in-addr.arpa udp
US 8.8.8.8:53 92.245.251.228.in-addr.arpa udp
US 8.8.8.8:53 202.174.71.50.in-addr.arpa udp
US 8.8.8.8:53 173.202.53.196.in-addr.arpa udp
US 8.8.8.8:53 81.46.169.208.in-addr.arpa udp
US 8.8.8.8:53 180.29.141.152.in-addr.arpa udp
US 8.8.8.8:53 94.193.252.67.in-addr.arpa udp
US 8.8.8.8:53 72.186.75.241.in-addr.arpa udp
US 8.8.8.8:53 231.163.59.129.in-addr.arpa udp
US 8.8.8.8:53 20.175.86.131.in-addr.arpa udp
US 8.8.8.8:53 105.246.109.81.in-addr.arpa udp
US 8.8.8.8:53 181.197.116.63.in-addr.arpa udp
US 8.8.8.8:53 19.85.29.220.in-addr.arpa udp
US 8.8.8.8:53 105.49.222.250.in-addr.arpa udp
US 8.8.8.8:53 232.188.218.156.in-addr.arpa udp
US 8.8.8.8:53 101.242.22.37.in-addr.arpa udp
US 8.8.8.8:53 169.102.227.147.in-addr.arpa udp
US 8.8.8.8:53 191.180.174.126.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

memory/2952-0-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\swedish handjob xxx uncut .mpg.exe

MD5 709bf9ce42aeac154ca59ac264a0ec8a
SHA1 4fd0984de65abf036f71b388c2a1ecd8f3a75bb6
SHA256 1c9525a11401103038d90ffafe9a930210d74e0e6ecee0a815e52addd4034023
SHA512 f19b3d7e755a3f9cece2aa4feb236735dd4980f5e58b24ddc3d70469c3a768dcedf3bf812146f2f37c8aff1fbf4dd452ad0e1c1f3caa60282fb66e0718528bde

memory/1336-10-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4568-39-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3140-40-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2952-180-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1336-193-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4568-196-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3140-197-0x0000000000400000-0x000000000041C000-memory.dmp