Malware Analysis Report

2024-11-15 06:06

Sample ID 240407-x2dhcace27
Target 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09
SHA256 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09

Threat Level: Known bad

The file 22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09 was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX dump on OEP (original entry point)

Checks computer location settings

UPX packed file

Reads user/profile data of web browsers

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:20

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:20

Reported

2024-04-07 19:23

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\FxsTmp\danish horse lesbian [free] hole .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\gay [bangbus] penetration (Kathrin,Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\xxx big (Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\black nude fucking public castration .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\IME\shared\italian cumshot hardcore uncut hole circumcision .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\tyrkish handjob beast lesbian girly (Sandy,Sarah).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\System32\DriverStore\Temp\blowjob big hairy .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\brasilian horse sperm full movie cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian cumshot lesbian hot (!) (Sarah).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\IME\shared\fucking full movie (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Temp\swedish nude xxx several models feet leather .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\indian porn trambling [bangbus] ejaculation .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\fucking hidden .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\tyrkish action xxx public 40+ (Sandy,Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files\Windows Journal\Templates\animal fucking sleeping sweet .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\japanese handjob blowjob sleeping hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\trambling several models (Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\danish animal bukkake masturbation bedroom .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\horse full movie (Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\black porn lingerie several models glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\indian nude trambling masturbation penetration .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\black cum xxx uncut .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\blowjob hot (!) cock mistress .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files\DVD Maker\Shared\bukkake [free] glans ìï .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\american handjob blowjob licking (Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\nude lesbian hidden black hairunshaved .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\Downloaded Program Files\blowjob big .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\asian hardcore [milf] (Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\japanese nude bukkake girls boots .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\bukkake public feet redhair (Karin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\norwegian lesbian hot (!) titts granny (Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\blowjob masturbation (Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\cum xxx public (Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\gay uncut cock .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\hardcore [milf] feet sweet .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\trambling [milf] blondie .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\spanish horse lesbian penetration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\chinese fucking [milf] boots .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\assembly\tmp\danish beastiality lesbian sleeping feet fishy (Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\tyrkish beastiality sperm licking .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\cumshot blowjob uncut mistress .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\black horse gay hot (!) cock black hairunshaved (Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\tyrkish kicking horse [bangbus] sm .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\blowjob catfight (Sarah).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\british horse [free] YEâPSè& .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\african trambling girls lady .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\danish action bukkake big (Karin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\swedish horse hardcore sleeping mistress .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\hardcore voyeur ash .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\danish animal blowjob catfight feet sweet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\russian cumshot fucking hot (!) feet 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\canadian sperm [free] titts castration .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\tyrkish animal blowjob [milf] titts leather (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\black animal sperm [bangbus] glans stockings (Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\assembly\temp\horse hidden mature .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\norwegian beast uncut balls (Anniston,Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\trambling [milf] .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\german bukkake uncut blondie .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\lesbian hidden circumcision .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\PLA\Templates\lesbian sleeping girly (Britney,Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\canadian bukkake several models femdom (Christine,Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\german sperm several models leather .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\german trambling hot (!) titts (Britney,Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\american fetish xxx sleeping hole castration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\xxx lesbian cock 40+ .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\tyrkish fetish gay [milf] titts ejaculation (Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\porn beast public feet 50+ (Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\fetish trambling licking .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\norwegian sperm full movie high heels (Kathrin,Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\american fetish horse sleeping beautyfull .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\fucking catfight balls (Sandy,Sarah).avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\american kicking blowjob [bangbus] sweet (Sonja,Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\german horse full movie hole .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\chinese beast sleeping mistress .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\action hardcore [bangbus] glans .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\gay masturbation YEâPSè& .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\fetish blowjob [free] (Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\gay big girly .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\tyrkish animal fucking uncut cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\canadian sperm voyeur mistress .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\Temp\black handjob bukkake sleeping traffic .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\trambling uncut (Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\bukkake [milf] beautyfull (Anniston,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\lesbian masturbation titts .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\xxx lesbian .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\indian porn xxx big ash .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\fetish blowjob masturbation (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\swedish gang bang bukkake [bangbus] penetration (Sonja,Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 2732 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 2732 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 2732 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 2488 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 2488 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 2488 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 2488 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe

Processes

C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe

"C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"

C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe

"C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"

C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe

"C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.106.222.108.in-addr.arpa udp
US 8.8.8.8:53 114.139.167.17.in-addr.arpa udp
US 8.8.8.8:53 69.121.197.34.in-addr.arpa udp
US 8.8.8.8:53 128.112.177.92.in-addr.arpa udp
US 8.8.8.8:53 89.107.6.26.in-addr.arpa udp
US 8.8.8.8:53 201.58.33.140.in-addr.arpa udp
US 8.8.8.8:53 83.167.198.44.in-addr.arpa udp
US 8.8.8.8:53 251.155.140.108.in-addr.arpa udp
US 8.8.8.8:53 127.209.155.139.in-addr.arpa udp
US 8.8.8.8:53 126.213.120.135.in-addr.arpa udp
US 8.8.8.8:53 163.236.136.10.in-addr.arpa udp
US 8.8.8.8:53 26.182.189.220.in-addr.arpa udp
US 8.8.8.8:53 152.86.94.49.in-addr.arpa udp
US 8.8.8.8:53 207.165.192.174.in-addr.arpa udp
US 8.8.8.8:53 94.188.150.76.in-addr.arpa udp
US 8.8.8.8:53 210.80.63.78.in-addr.arpa udp
US 8.8.8.8:53 63.233.1.17.in-addr.arpa udp
US 8.8.8.8:53 234.122.253.146.in-addr.arpa udp
US 8.8.8.8:53 97.246.162.165.in-addr.arpa udp
US 8.8.8.8:53 82.84.159.55.in-addr.arpa udp
US 8.8.8.8:53 126.95.109.163.in-addr.arpa udp
US 8.8.8.8:53 21.8.45.118.in-addr.arpa udp
US 8.8.8.8:53 133.105.210.240.in-addr.arpa udp
US 8.8.8.8:53 171.209.22.81.in-addr.arpa udp
US 8.8.8.8:53 224.53.71.107.in-addr.arpa udp
US 8.8.8.8:53 42.69.157.216.in-addr.arpa udp
US 8.8.8.8:53 193.2.194.230.in-addr.arpa udp
US 8.8.8.8:53 224.48.199.21.in-addr.arpa udp

Files

memory/2732-0-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\trambling several models (Karin).mpg.exe

MD5 938fd0ac9acd6a43f66ec67715c2819d
SHA1 3bd2777c4408eb062fa7ac9e4c21265532bdda2f
SHA256 48c07e53ef137c257c6799e968e215928d3dee92cfac96ea82721124d982f591
SHA512 5d4dec0545cfc3d03a67107e89fac758405a34caa4ff5cba3ee6e752e10f01d3bc5b9bf33a24c949848af4c98adca1be446f0b79ca48395659973d2e373235d7

memory/2732-65-0x00000000051B0000-0x00000000051D1000-memory.dmp

memory/2488-66-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2488-88-0x0000000004CE0000-0x0000000004D01000-memory.dmp

memory/1688-89-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2732-106-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2732-108-0x00000000051B0000-0x00000000051D1000-memory.dmp

memory/2488-109-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2488-110-0x0000000004CE0000-0x0000000004D01000-memory.dmp

memory/1688-111-0x0000000000400000-0x0000000000421000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:20

Reported

2024-04-07 19:23

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black beastiality sperm sleeping titts (Sandy,Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\System32\DriverStore\Temp\lesbian girls hole .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\danish action lesbian big titts (Jenna,Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\xxx catfight wifey .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\blowjob uncut titts .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\indian cum trambling public .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\bukkake hot (!) YEâPSè& .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\italian handjob blowjob several models bondage .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\lesbian full movie sweet .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\italian cum xxx voyeur feet stockings (Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\blowjob girls (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\sperm masturbation beautyfull (Jenna,Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\danish horse blowjob licking 50+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\xxx several models .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files\dotnet\shared\italian gang bang blowjob uncut feet wifey (Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\swedish kicking hardcore girls beautyfull .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\indian horse gay hot (!) titts redhair .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\american gang bang lesbian uncut hole .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\swedish fetish trambling catfight (Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\danish cum hardcore [free] boots .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\lingerie big hole traffic .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Google\Temp\swedish beastiality trambling full movie feet lady .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files\Common Files\microsoft shared\black fetish lingerie catfight hole penetration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\russian handjob bukkake uncut .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\italian fetish beast masturbation glans .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\russian horse xxx catfight granny .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{1FAC69E2-6A78-4418-8957-20DE7094BB95}\EDGEMITMP_86547.tmp\beast hot (!) 50+ .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\brasilian cumshot xxx [bangbus] (Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\fucking public cock pregnant (Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\swedish animal fucking several models cock beautyfull .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\american handjob bukkake masturbation feet wifey (Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\xxx [milf] black hairunshaved .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\lesbian sleeping .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\hardcore masturbation (Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\gay hot (!) hole .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\hardcore sleeping glans gorgeoushorny (Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\fetish horse [milf] balls .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\american fetish gay public .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\german trambling licking hole .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\german fucking sleeping (Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\beastiality gay full movie hole swallow (Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\danish beastiality beast girls titts bedroom (Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\swedish beastiality sperm masturbation 50+ .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\british lesbian catfight hole .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\handjob lingerie sleeping .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\asian blowjob sleeping glans pregnant .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\action horse hot (!) balls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\french sperm [bangbus] hole (Jenna,Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\indian nude trambling [milf] titts black hairunshaved .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\horse hot (!) .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\french horse public .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\tyrkish cum fucking [free] 40+ .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\PLA\Templates\brasilian animal hardcore [milf] 50+ (Ashley,Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\german blowjob [free] feet penetration (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\handjob sperm voyeur feet .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\american action horse [milf] black hairunshaved .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\american cumshot blowjob several models ash .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\danish action fucking uncut .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\handjob trambling full movie hole wifey (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\CbsTemp\gay lesbian .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\blowjob catfight YEâPSè& .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\spanish blowjob [milf] gorgeoushorny .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\tyrkish action gay [bangbus] glans .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\italian gang bang horse sleeping bondage (Ashley,Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\italian horse hardcore licking hole lady .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\german hardcore hidden pregnant .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\chinese lesbian hot (!) cock sweet .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\beast [bangbus] cock .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\japanese beastiality sperm full movie swallow .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\american horse trambling [bangbus] (Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\gang bang fucking [milf] cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\asian fucking big .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\british horse sleeping .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\kicking beast big bondage .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\nude lingerie hidden hole fishy .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\porn beast sleeping .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\beastiality sperm licking glans .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\fucking lesbian cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\blowjob girls cock pregnant (Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\bukkake voyeur glans (Britney,Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\tyrkish cum blowjob catfight shoes .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\african beast big cock ash .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\norwegian gay full movie sm (Ashley,Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\trambling [bangbus] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\french sperm [free] titts mistress (Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca03036af4a5017e\cumshot trambling hot (!) fishy .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\malaysia blowjob [bangbus] hole .avi.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\cum xxx lesbian high heels .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\norwegian fucking public 50+ .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\chinese blowjob [free] glans YEâPSè& (Tatjana).mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\xxx girls cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\italian beastiality hardcore girls ejaculation .zip.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\russian horse gay big feet .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\kicking trambling hot (!) ejaculation .rar.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\horse full movie .mpg.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 4768 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 4768 wrote to memory of 3792 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 3792 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 3792 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 3792 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 4768 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 4768 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe
PID 4768 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe

Processes

C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe

"C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"

C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe

"C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"

C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe

"C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"

C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe

"C:\Users\Admin\AppData\Local\Temp\22620887783475107184ef20a540129722ef17873f95cd99852b978dfd2a6d09.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=3016,i,1323102786462900035,7687994236215859601,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.184.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.184.250.142.in-addr.arpa udp

Files

memory/4768-0-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\italian fetish beast masturbation glans .avi.exe

MD5 6228d4431048e90d75fdd62606bee860
SHA1 eac1609e628da32612363a3b8c55f6f1989288c8
SHA256 0c0de97b857109528c64afebd9c2ab5513161e2df5da8197083f75c4913341b8
SHA512 e30c96002ec6a1e457d8faa4dc7342afda213f61827ccc6f430c163e76032b0a05ef25b1559845ac77a6cc852fbe96f10990d324116390f3862e8a9f7b7f5c5c

memory/3792-11-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3400-36-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4592-38-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4768-165-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3792-170-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3400-172-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4592-180-0x0000000000400000-0x0000000000421000-memory.dmp