Malware Analysis Report

2024-11-15 06:11

Sample ID 240407-3ed39ahf61
Target 91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f
SHA256 91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f

Threat Level: Known bad

The file 91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX dump on OEP (original entry point)

Reads user/profile data of web browsers

Checks computer location settings

UPX packed file

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:25

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:25

Reported

2024-04-07 23:27

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\brasilian horse lingerie [bangbus] hairy .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\brasilian beastiality fucking sleeping 50+ (Gina,Janette).mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\trambling big glans (Sonja,Sarah).mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\IME\shared\swedish cumshot sperm [milf] upskirt .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\danish animal lesbian public .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\System32\DriverStore\Temp\japanese gang bang sperm licking cock (Sandy,Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\french trambling several models .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\IME\shared\sperm [milf] fishy .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\gay sleeping young .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish animal bukkake several models upskirt .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\bukkake several models .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\beast masturbation cock beautyfull .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files\Windows Journal\Templates\norwegian gay [bangbus] feet (Gina,Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\brasilian cum blowjob girls mature (Christine,Sarah).mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\brasilian cum blowjob full movie lady .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\sperm big glans ash .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\italian action beast girls leather .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Google\Temp\brasilian beastiality bukkake [free] glans .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\indian kicking lesbian public (Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files\DVD Maker\Shared\danish cumshot lesbian girls hole ìï (Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\horse big (Tatjana).mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\black porn blowjob several models .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\swedish porn trambling big shoes (Sandy,Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\lingerie [milf] bedroom .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\brasilian porn bukkake lesbian feet .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\italian gang bang blowjob masturbation feet ash .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\brasilian gang bang fucking several models cock bondage .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\american cumshot lesbian masturbation hole mistress .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\norwegian beast girls hole mistress .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\black action beast uncut hole bedroom (Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\canadian lingerie licking boots .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\beast girls feet sm (Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\kicking bukkake sleeping .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\lesbian voyeur cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\brasilian animal gay big .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\fetish hardcore lesbian feet mistress (Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\asian gay full movie feet .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\hardcore licking .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\italian porn xxx voyeur glans girly (Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\fetish sperm licking .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\trambling big bondage (Ashley,Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\xxx several models Ôë (Sonja,Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\security\templates\lesbian catfight .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\danish beastiality beast catfight cock young (Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\german bukkake voyeur 40+ .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\african sperm catfight cock high heels (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\german bukkake girls hole young (Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\danish action lingerie several models circumcision .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\malaysia trambling [bangbus] titts young (Janette).mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\cumshot bukkake full movie .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\russian horse horse girls cock young (Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\bukkake uncut pregnant .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\InstallTemp\lesbian big bedroom .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\african bukkake uncut young .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\spanish gay girls latex (Sonja,Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\italian animal lesbian full movie cock 50+ (Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\malaysia trambling lesbian traffic (Gina,Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\norwegian fucking licking sweet .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\horse sleeping .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\indian beastiality blowjob lesbian sm .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\brasilian fetish bukkake masturbation hole girly .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\russian fetish hardcore hidden (Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\black cumshot lesbian masturbation glans (Sonja,Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\tyrkish handjob bukkake [bangbus] boots .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\kicking horse hidden cock .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\tyrkish gang bang hardcore big .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\kicking fucking voyeur (Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\nude horse licking redhair .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\horse hidden .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\french sperm several models high heels .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\canadian trambling [bangbus] titts ìï .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\italian action blowjob sleeping boots .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\sperm sleeping feet swallow .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\lingerie voyeur hole beautyfull .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\sperm girls penetration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\indian cum gay masturbation cock gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\italian cum trambling girls blondie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\indian fetish lingerie full movie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\african lingerie full movie boots .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\xxx lesbian titts .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\handjob horse uncut .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\PLA\Templates\black animal trambling licking cock fishy (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\asian bukkake big titts 40+ .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\spanish beast big (Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\cumshot fucking public .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\british fucking masturbation cock hotel (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\horse lesbian lesbian mature .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\cum hardcore [bangbus] .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 3052 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 3052 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 3052 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 2088 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 2088 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 2088 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 2088 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 3052 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 3052 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 3052 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 3052 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe

"C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe"

C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe

"C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe"

C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe

"C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe"

C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe

"C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 177.48.220.45.in-addr.arpa udp
US 8.8.8.8:53 71.51.127.76.in-addr.arpa udp
US 8.8.8.8:53 51.184.93.50.in-addr.arpa udp
US 8.8.8.8:53 210.47.176.169.in-addr.arpa udp
US 8.8.8.8:53 94.84.100.216.in-addr.arpa udp
US 8.8.8.8:53 245.169.207.164.in-addr.arpa udp
US 8.8.8.8:53 58.240.31.131.in-addr.arpa udp
US 8.8.8.8:53 71.119.174.161.in-addr.arpa udp
US 8.8.8.8:53 26.161.217.195.in-addr.arpa udp
US 8.8.8.8:53 76.33.215.215.in-addr.arpa udp
US 8.8.8.8:53 97.73.156.68.in-addr.arpa udp
US 8.8.8.8:53 224.150.252.80.in-addr.arpa udp
US 8.8.8.8:53 184.226.208.120.in-addr.arpa udp
US 8.8.8.8:53 106.39.5.121.in-addr.arpa udp
US 8.8.8.8:53 233.121.175.95.in-addr.arpa udp
US 8.8.8.8:53 82.169.75.92.in-addr.arpa udp
US 8.8.8.8:53 68.249.158.217.in-addr.arpa udp
US 8.8.8.8:53 62.154.243.52.in-addr.arpa udp
US 8.8.8.8:53 126.102.50.63.in-addr.arpa udp
US 8.8.8.8:53 150.125.11.51.in-addr.arpa udp

Files

memory/3052-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\brasilian porn bukkake lesbian feet .mpg.exe

MD5 78ce9c7e427268067f0a45554adf8f52
SHA1 b3a75275135af03b91ba3e4d892c4eead5f480aa
SHA256 33ad8cf3cfce46ebaf8f218bf21ea78eccd583075213915feffd3ecb92c162d7
SHA512 62ec4ca9b9b076e9792ea611d42cf501ca726291187acc694a3d157deccd72b263be1cb0e9fde01c9deac2bb1f0248bda2196197416d6631b7adcceadf761358

memory/3052-12-0x0000000004AF0000-0x0000000004B19000-memory.dmp

memory/2088-13-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2088-61-0x00000000047D0000-0x00000000047F9000-memory.dmp

memory/3052-62-0x0000000005660000-0x0000000005689000-memory.dmp

memory/2408-63-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2420-64-0x0000000000400000-0x0000000000429000-memory.dmp

C:\debug.txt

MD5 d9994679c2b9e032eceb8c952e58b17d
SHA1 df10091aa11c890e3f88523bdf4d6d61ebbc405c
SHA256 78e86c1ab043beb4567db219583cfb6067910ad6a0deb572c10a49445619a882
SHA512 5759207bde8e95658f399df2581853d3a676933b70c735212212cfe239bf415707d407744fe11c42b137e2e9a1342d3f9c9fd0d918c7971a4d5a32252448c398

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:25

Reported

2024-04-07 23:27

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\horse girls .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\System32\DriverStore\Temp\lingerie sleeping feet castration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\lesbian lesbian (Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\sperm lesbian granny (Sonja,Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\tyrkish beastiality lesbian girls feet hotel .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\sperm girls hole shower (Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\japanese kicking hardcore [bangbus] cock .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\sperm hot (!) balls .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\fucking big feet .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\cum lingerie hot (!) titts fishy (Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\gay hot (!) (Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\japanese fetish lesbian [bangbus] lady .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\fucking lesbian titts sweet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Google\Temp\gay hidden .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\black fetish lingerie full movie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files\dotnet\shared\japanese porn blowjob catfight boots (Sonja,Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\swedish porn horse sleeping (Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\lingerie voyeur feet sweet .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\american porn blowjob lesbian .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\japanese nude fucking sleeping shower .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\trambling public shower .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\american fetish hardcore hot (!) hole 50+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\horse [free] cock .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\bukkake hot (!) (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\black beastiality blowjob hidden gorgeoushorny .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\blowjob [bangbus] feet hairy .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\tyrkish animal beast [milf] feet .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\danish cum trambling sleeping titts hairy .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\cumshot xxx catfight 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\horse hidden sweet .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_b201c2e68d8dbc0d\german fucking girls penetration .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\PLA\Templates\tyrkish animal lingerie [bangbus] cock redhair .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\bukkake lesbian cock wifey .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\indian beastiality bukkake big .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\horse bukkake hot (!) titts hotel .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\norwegian horse masturbation circumcision .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\animal hardcore licking hole .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\african trambling [free] titts hotel .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\cumshot gay licking girly (Ashley,Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\asian gay public 40+ .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\swedish beastiality fucking hidden leather .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\chinese trambling [bangbus] girly .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\american animal lesbian several models high heels .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\cum hardcore sleeping feet bondage .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\tyrkish porn gay lesbian glans fishy (Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\russian nude xxx public (Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\american cumshot horse masturbation leather (Ashley,Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\sperm [bangbus] .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\security\templates\danish action sperm several models .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\handjob beast hidden (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\indian handjob hardcore sleeping ejaculation (Christine,Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\indian beastiality trambling full movie (Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\beastiality xxx hidden (Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\russian nude blowjob lesbian glans sweet .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\nude beast big swallow (Ashley,Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\danish action bukkake [bangbus] feet .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\cum xxx hidden (Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\animal beast hidden girly (Sandy,Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\african xxx hot (!) leather .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\handjob blowjob voyeur .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\nude bukkake public hole granny (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\african horse licking high heels .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\Temp\malaysia hardcore big (Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\italian nude lesbian public hole .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\russian porn lingerie girls glans bedroom (Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\black animal beast several models feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca03036af4a5017e\nude trambling full movie stockings (Jenna,Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\swedish handjob hardcore voyeur .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\black cumshot fucking big titts bedroom .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\black handjob sperm licking hairy .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\tyrkish beastiality hardcore lesbian leather .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\beastiality lesbian [free] feet young (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\beastiality trambling catfight .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\gang bang lesbian [free] glans (Sonja,Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.746_none_822bf1ada1526fa8\tyrkish nude beast licking .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\spanish hardcore lesbian cock (Kathrin,Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\french beast [milf] feet redhair .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\bukkake full movie glans redhair .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\gang bang bukkake catfight hairy .avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\asian lesbian girls (Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\malaysia gay several models beautyfull .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\tyrkish horse beast catfight bondage .rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\fucking sleeping (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\tyrkish horse fucking girls 50+ (Sonja,Tatjana).mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\animal trambling catfight feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\porn hardcore hidden (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\canadian blowjob uncut .zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\lingerie full movie wifey (Sonja,Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\french lesbian full movie cock beautyfull (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\action lingerie [milf] (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\beast [free] titts femdom .mpg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\Downloaded Program Files\indian nude gay public titts YEâPSè& .mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\american nude sperm girls cock granny (Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\german trambling hidden fishy (Sonja,Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4880 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 4880 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 4880 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 1784 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 1784 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe
PID 1784 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe

"C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe"

C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe

"C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe"

C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe

"C:\Users\Admin\AppData\Local\Temp\91a5dcbe155ba98a4921d00b5011ef53a303fde1a4d4033deef897788596074f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 239.81.30.58.in-addr.arpa udp
US 8.8.8.8:53 221.250.26.18.in-addr.arpa udp
US 8.8.8.8:53 103.163.125.246.in-addr.arpa udp
US 8.8.8.8:53 66.67.134.125.in-addr.arpa udp
US 8.8.8.8:53 82.173.199.213.in-addr.arpa udp
US 8.8.8.8:53 29.27.101.20.in-addr.arpa udp
US 8.8.8.8:53 72.67.193.202.in-addr.arpa udp
US 8.8.8.8:53 119.55.117.71.in-addr.arpa udp
US 8.8.8.8:53 247.96.65.158.in-addr.arpa udp
US 8.8.8.8:53 192.122.138.178.in-addr.arpa udp
US 8.8.8.8:53 134.236.117.80.in-addr.arpa udp
US 8.8.8.8:53 11.57.137.21.in-addr.arpa udp
US 8.8.8.8:53 28.125.62.181.in-addr.arpa udp
US 8.8.8.8:53 206.167.152.193.in-addr.arpa udp
US 8.8.8.8:53 229.20.62.114.in-addr.arpa udp
US 8.8.8.8:53 163.215.126.7.in-addr.arpa udp
US 8.8.8.8:53 204.220.157.187.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.36.233.96.in-addr.arpa udp
US 8.8.8.8:53 248.79.233.3.in-addr.arpa udp
US 8.8.8.8:53 86.14.38.140.in-addr.arpa udp
US 8.8.8.8:53 90.102.233.126.in-addr.arpa udp
US 8.8.8.8:53 94.156.170.98.in-addr.arpa udp
US 8.8.8.8:53 198.242.195.243.in-addr.arpa udp
US 8.8.8.8:53 198.192.25.96.in-addr.arpa udp
US 8.8.8.8:53 254.198.20.224.in-addr.arpa udp
US 8.8.8.8:53 61.228.162.192.in-addr.arpa udp
US 8.8.8.8:53 253.88.9.100.in-addr.arpa udp
US 8.8.8.8:53 148.111.167.2.in-addr.arpa udp
US 8.8.8.8:53 141.69.89.221.in-addr.arpa udp
US 8.8.8.8:53 60.141.66.93.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.42.123.107.in-addr.arpa udp
US 8.8.8.8:53 60.42.41.44.in-addr.arpa udp
US 8.8.8.8:53 104.130.93.33.in-addr.arpa udp
US 8.8.8.8:53 67.162.106.168.in-addr.arpa udp
US 8.8.8.8:53 213.221.129.58.in-addr.arpa udp
US 8.8.8.8:53 195.42.79.218.in-addr.arpa udp
US 8.8.8.8:53 159.122.97.171.in-addr.arpa udp
US 8.8.8.8:53 73.212.203.217.in-addr.arpa udp
US 8.8.8.8:53 85.16.135.191.in-addr.arpa udp
US 8.8.8.8:53 23.197.242.79.in-addr.arpa udp
US 8.8.8.8:53 93.84.5.60.in-addr.arpa udp
US 8.8.8.8:53 155.6.241.58.in-addr.arpa udp
US 8.8.8.8:53 48.141.41.108.in-addr.arpa udp
US 8.8.8.8:53 241.193.50.175.in-addr.arpa udp
US 8.8.8.8:53 246.139.245.81.in-addr.arpa udp
US 8.8.8.8:53 26.2.116.182.in-addr.arpa udp
US 8.8.8.8:53 250.242.99.223.in-addr.arpa udp
US 8.8.8.8:53 201.217.226.155.in-addr.arpa udp
US 8.8.8.8:53 20.59.23.172.in-addr.arpa udp
US 8.8.8.8:53 185.130.221.39.in-addr.arpa udp
US 8.8.8.8:53 215.192.56.24.in-addr.arpa udp
US 8.8.8.8:53 147.191.128.30.in-addr.arpa udp
US 8.8.8.8:53 11.78.195.50.in-addr.arpa udp
US 8.8.8.8:53 63.198.75.247.in-addr.arpa udp
US 8.8.8.8:53 215.105.213.221.in-addr.arpa udp
US 8.8.8.8:53 100.107.102.4.in-addr.arpa udp
US 8.8.8.8:53 238.238.106.35.in-addr.arpa udp
US 8.8.8.8:53 245.173.219.29.in-addr.arpa udp
US 8.8.8.8:53 209.228.132.14.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4880-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\lingerie voyeur feet sweet .mpg.exe

MD5 ccac77b13a185b338482ffe4ebcf0ab3
SHA1 c0403ebaf4fb452d2f7e27b78613dbf2aa81d1af
SHA256 2276bbb86b773e3a0b8348f41d437feadb993aeb12e8d1627f8f991d28564da1
SHA512 1a6aa80f846512a5f209d7a79d427fc4759d7e593464432f63d6a5b2fe4a47ffc4fb779a7cc22c9346d5aa2a2082ad9e46520d5d9579b4e2c73db30f7c7234ca

memory/1784-72-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3536-166-0x0000000000400000-0x0000000000429000-memory.dmp