Malware Analysis Report

2024-11-15 06:07

Sample ID 240407-yjllnsdb84
Target 2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f
SHA256 2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f

Threat Level: Known bad

The file 2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Checks computer location settings

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:48

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:48

Reported

2024-04-07 19:51

Platform

win7-20240221-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\tyrkish fetish lingerie lesbian penetration (Gina,Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\blowjob girls .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\porn gay [bangbus] cock .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\IME\shared\italian nude trambling lesbian hole .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian cum hardcore masturbation gorgeoushorny .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\IME\shared\tyrkish porn lingerie hidden hole ejaculation .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\System32\DriverStore\Temp\gay hidden bondage (Kathrin,Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\beast licking hole penetration .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\italian fetish sperm several models shower .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\russian action fucking masturbation glans .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Update\Download\trambling hot (!) wifey (Sonja,Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\horse licking penetration .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\indian nude beast [free] titts stockings .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files\DVD Maker\Shared\american handjob blowjob several models sm .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\italian handjob xxx licking (Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\brasilian action lesbian public black hairunshaved .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Google\Temp\italian beastiality lesbian licking femdom .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\lingerie [free] blondie (Ashley,Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\brasilian porn bukkake lesbian blondie .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\tyrkish gang bang fucking [bangbus] titts bedroom .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\swedish handjob hardcore uncut .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files\Windows Journal\Templates\italian cumshot lingerie [bangbus] titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\danish cumshot bukkake catfight titts hairy (Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\lesbian lesbian cock sm .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\japanese porn bukkake uncut redhair .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\handjob bukkake uncut cock .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\norwegian horse [bangbus] hole mistress .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\beastiality beast sleeping mature .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\brasilian cum sperm lesbian 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\porn fucking big YEâPSè& .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\cum fucking several models titts .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\danish gang bang lesbian [free] black hairunshaved .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\chinese sperm hot (!) mature (Kathrin,Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\german gay hidden hole .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\trambling [free] glans mistress (Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\lingerie [bangbus] girly .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\trambling masturbation feet .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\indian beastiality bukkake masturbation .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\chinese horse lesbian .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\spanish gay big feet 50+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\canadian xxx licking upskirt (Gina,Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\security\templates\swedish cumshot hardcore masturbation glans beautyfull .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\kicking fucking [free] .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\african lesbian big high heels .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\animal trambling licking .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SoftwareDistribution\Download\black kicking xxx several models titts (Ashley,Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\hardcore full movie (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\italian gang bang trambling [free] beautyfull .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\african sperm big glans .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\malaysia xxx uncut .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\lesbian sleeping fishy .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\african hardcore voyeur feet ash .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\cumshot gay lesbian glans penetration (Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\brasilian nude hardcore [bangbus] balls .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\assembly\tmp\danish horse bukkake catfight glans .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\russian action trambling hot (!) traffic .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\hardcore catfight titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\black horse lingerie girls leather .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\lesbian [free] pregnant .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\sperm masturbation hole ash .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\black nude lesbian several models glans traffic (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\japanese cumshot gay girls titts .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\horse blowjob catfight (Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\black horse beast hot (!) YEâPSè& .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\danish cumshot bukkake big titts traffic .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\tyrkish beastiality blowjob voyeur beautyfull .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\horse gay girls feet ìï .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\beast sleeping titts .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\indian fetish hardcore [bangbus] sweet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\brasilian fetish hardcore hidden glans .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\japanese animal hardcore lesbian latex (Gina,Sarah).avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\black nude lesbian sleeping ash .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\japanese nude bukkake licking .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\xxx catfight mistress .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\kicking sperm catfight 40+ .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\brasilian fetish beast [free] glans .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\german xxx uncut feet .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\InstallTemp\african bukkake full movie cock mature .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\handjob lesbian several models hole granny (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\swedish horse beast voyeur femdom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\tyrkish beastiality lingerie hidden traffic .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\canadian gay several models feet sm (Karin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\german beast big (Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\bukkake hidden cock .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\danish handjob beast girls hole femdom .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\spanish sperm licking glans .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\danish action beast sleeping glans swallow .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\japanese handjob fucking voyeur (Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 2684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 2684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 2684 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 2780 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 2780 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 2780 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 2780 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe

"C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe"

C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe

"C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe"

C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe

"C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.183.252.71.in-addr.arpa udp
US 8.8.8.8:53 63.111.106.30.in-addr.arpa udp
US 8.8.8.8:53 192.160.131.50.in-addr.arpa udp
US 8.8.8.8:53 96.97.22.133.in-addr.arpa udp
US 8.8.8.8:53 140.66.124.76.in-addr.arpa udp
US 8.8.8.8:53 229.187.25.36.in-addr.arpa udp
US 8.8.8.8:53 101.174.223.203.in-addr.arpa udp
US 8.8.8.8:53 201.11.109.203.in-addr.arpa udp
US 8.8.8.8:53 41.69.246.142.in-addr.arpa udp
US 8.8.8.8:53 234.221.102.62.in-addr.arpa udp
US 8.8.8.8:53 137.220.65.35.in-addr.arpa udp
US 8.8.8.8:53 22.177.143.163.in-addr.arpa udp
US 8.8.8.8:53 141.31.58.155.in-addr.arpa udp
US 8.8.8.8:53 96.209.242.226.in-addr.arpa udp
US 8.8.8.8:53 49.235.105.63.in-addr.arpa udp
US 8.8.8.8:53 86.202.100.221.in-addr.arpa udp
US 8.8.8.8:53 144.126.54.74.in-addr.arpa udp
US 8.8.8.8:53 7.153.82.103.in-addr.arpa udp
US 8.8.8.8:53 53.72.167.17.in-addr.arpa udp
US 8.8.8.8:53 8.86.66.72.in-addr.arpa udp
US 8.8.8.8:53 242.112.52.229.in-addr.arpa udp
US 8.8.8.8:53 199.31.123.200.in-addr.arpa udp
US 8.8.8.8:53 69.4.218.254.in-addr.arpa udp
US 8.8.8.8:53 161.104.12.42.in-addr.arpa udp
US 8.8.8.8:53 223.109.111.73.in-addr.arpa udp
US 8.8.8.8:53 55.200.141.94.in-addr.arpa udp
US 8.8.8.8:53 15.146.68.113.in-addr.arpa udp

Files

memory/2684-0-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\italian handjob xxx licking (Sylvia).avi.exe

MD5 c87a39b7e76f1983489cda49216fc809
SHA1 f613b41c79b7016536e45c9c9f407b0e2d0cd928
SHA256 5a36ec1c4f8486b5c5268f1d4f5f466dff167561a039f65f0c8aeced915cf05c
SHA512 836ee695bcf9a947adb490c8389cecac6b63cd06b1f342e2f82e22b50b90831eb5ade36fcfeb440087f91348a84c603755d9f22849a31ce8d35da867191e1fcb

memory/2684-56-0x0000000005150000-0x000000000516E000-memory.dmp

memory/2780-57-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2780-90-0x0000000004AA0000-0x0000000004ABE000-memory.dmp

memory/1072-91-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2684-107-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2684-109-0x0000000005150000-0x000000000516E000-memory.dmp

memory/2780-110-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2780-112-0x0000000004AA0000-0x0000000004ABE000-memory.dmp

memory/1072-113-0x0000000000400000-0x000000000041E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:48

Reported

2024-04-07 19:51

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\FxsTmp\american fucking [bangbus] leather .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\lesbian gay sleeping stockings .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\swedish gay handjob uncut (Jenna,Kathrin).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black trambling catfight mistress .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\animal [free] feet .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\danish cum bukkake hidden leather (Anniston,Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\chinese fucking big high heels .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\System32\DriverStore\Temp\asian beast full movie cock .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\danish nude [free] (Samantha,Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\animal hardcore licking ash YEâPSè& (Kathrin).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\kicking [milf] latex .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\trambling handjob hidden vagina .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\malaysia fetish public black hairunshaved (Christine,Sonja).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\malaysia kicking hardcore voyeur .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\chinese cum hot (!) ash ejaculation .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\indian gay horse full movie high heels .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\canadian xxx lingerie catfight feet bondage (Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\norwegian gay hardcore girls vagina shower .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\indian porn uncut .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\german sperm fucking [milf] .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\gang bang voyeur cock (Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\tyrkish fucking voyeur ejaculation .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\action public .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Google\Temp\russian blowjob lingerie licking .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\chinese beastiality hardcore sleeping young (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\chinese gay lesbian .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files\Common Files\microsoft shared\asian blowjob sleeping titts (Jenna,Anniston).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files\dotnet\shared\action hidden .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\swedish action fucking [milf] cock (Karin,Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\african cum action catfight boobs .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\security\templates\indian beastiality girls hole pregnant .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\norwegian bukkake licking hole YEâPSè& .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\japanese gang bang big .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\american beast cum [free] .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\action voyeur nipples mature (Karin,Britney).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\italian fetish bukkake several models .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\fetish [bangbus] nipples 50+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\american lingerie licking .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\horse licking Ôï (Sonja).zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\sperm cumshot masturbation balls .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\chinese gay action uncut .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\black sperm beastiality public (Gina,Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\cumshot cum sleeping .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\canadian cumshot public legs young .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\xxx handjob several models nipples .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_21122d7205c6f5b9\african bukkake several models hotel .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\tyrkish nude kicking sleeping .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\lingerie sleeping YEâPSè& .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\cumshot sleeping (Melissa,Kathrin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\french beastiality public .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\chinese handjob lingerie uncut hairy .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\action masturbation titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\gay fucking full movie hairy .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\british kicking several models vagina circumcision (Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\indian horse lesbian masturbation gorgeoushorny (Gina).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\swedish lingerie hardcore hidden Ôï .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\german porn licking .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\handjob animal girls (Samantha,Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\bukkake blowjob several models high heels (Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\bukkake lesbian big legs high heels .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\brasilian gang bang lesbian lesbian sm .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\british handjob xxx girls legs .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\american beast big bondage .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\italian gang bang animal lesbian shoes .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\asian fetish hardcore lesbian hole .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\malaysia lesbian full movie glans .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\gay voyeur (Liz,Ashley).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\danish bukkake voyeur femdom (Sarah,Gina).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\beastiality voyeur (Jenna).avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\spanish gang bang licking nipples ash .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\beastiality hot (!) glans fishy (Jenna).avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\gay hidden bedroom .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\indian action beastiality voyeur shoes (Jenna).rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\horse xxx full movie legs gorgeoushorny .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\norwegian cum xxx lesbian hotel .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.746_none_292c449ed2edefa3\lingerie full movie .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\gang bang [free] .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\american action nude licking .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\british action catfight ash beautyfull .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\italian xxx masturbation (Gina,Ashley).avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\russian fetish licking stockings .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\lesbian fetish [free] nipples .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\InstallTemp\nude sperm hot (!) glans ejaculation .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\canadian gay cumshot [bangbus] .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\german nude sleeping .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\german fetish kicking hidden stockings .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\nude animal licking .avi.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\action nude sleeping lady .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\fetish sleeping ash (Ashley).mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\action kicking catfight mature .zip.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\brasilian horse fucking licking beautyfull .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\italian animal lesbian bondage (Jenna).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\canadian cum horse full movie .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\horse girls legs fishy .rar.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 4780 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 4780 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 4780 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 4780 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 4780 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 2140 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 2140 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe
PID 2140 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe

"C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe"

C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe

"C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe"

C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe

"C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe"

C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe

"C:\Users\Admin\AppData\Local\Temp\2ec939c19a80906c0da6e47528e6bd8b74fe5e0da9c75a1de01883a686284e0f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 6.247.110.11.in-addr.arpa udp
US 8.8.8.8:53 211.242.38.63.in-addr.arpa udp
US 8.8.8.8:53 177.165.124.115.in-addr.arpa udp
US 8.8.8.8:53 157.150.72.96.in-addr.arpa udp
US 8.8.8.8:53 160.150.126.180.in-addr.arpa udp
US 8.8.8.8:53 90.219.149.129.in-addr.arpa udp
US 8.8.8.8:53 138.31.11.222.in-addr.arpa udp
US 8.8.8.8:53 125.221.71.185.in-addr.arpa udp
US 8.8.8.8:53 69.127.94.126.in-addr.arpa udp
US 8.8.8.8:53 252.61.126.54.in-addr.arpa udp
US 8.8.8.8:53 48.161.237.95.in-addr.arpa udp
US 8.8.8.8:53 225.91.146.84.in-addr.arpa udp
US 8.8.8.8:53 236.29.230.156.in-addr.arpa udp
US 8.8.8.8:53 227.143.231.163.in-addr.arpa udp
US 8.8.8.8:53 25.212.72.46.in-addr.arpa udp
US 8.8.8.8:53 166.127.197.70.in-addr.arpa udp
US 8.8.8.8:53 79.122.229.199.in-addr.arpa udp
US 8.8.8.8:53 158.215.16.245.in-addr.arpa udp
US 8.8.8.8:53 52.101.31.247.in-addr.arpa udp
US 8.8.8.8:53 254.204.46.91.in-addr.arpa udp
US 8.8.8.8:53 155.252.244.45.in-addr.arpa udp
US 8.8.8.8:53 74.204.240.132.in-addr.arpa udp
US 8.8.8.8:53 13.250.188.164.in-addr.arpa udp
US 8.8.8.8:53 40.206.193.157.in-addr.arpa udp
US 8.8.8.8:53 27.201.56.234.in-addr.arpa udp
US 8.8.8.8:53 73.142.166.105.in-addr.arpa udp
US 8.8.8.8:53 197.116.252.236.in-addr.arpa udp
US 8.8.8.8:53 218.81.63.96.in-addr.arpa udp
US 8.8.8.8:53 157.112.214.131.in-addr.arpa udp
US 8.8.8.8:53 230.127.87.149.in-addr.arpa udp
US 8.8.8.8:53 120.2.110.83.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.79.42.13.in-addr.arpa udp
US 8.8.8.8:53 183.28.119.191.in-addr.arpa udp
US 8.8.8.8:53 202.69.97.13.in-addr.arpa udp
US 8.8.8.8:53 52.190.244.203.in-addr.arpa udp
US 8.8.8.8:53 198.242.40.32.in-addr.arpa udp
US 8.8.8.8:53 170.196.2.194.in-addr.arpa udp
US 8.8.8.8:53 7.61.163.189.in-addr.arpa udp
US 8.8.8.8:53 195.26.248.163.in-addr.arpa udp
US 8.8.8.8:53 22.123.150.129.in-addr.arpa udp
US 8.8.8.8:53 89.228.67.65.in-addr.arpa udp
US 8.8.8.8:53 207.114.231.168.in-addr.arpa udp
US 8.8.8.8:53 142.190.148.222.in-addr.arpa udp
US 8.8.8.8:53 232.207.146.165.in-addr.arpa udp
US 8.8.8.8:53 255.193.123.102.in-addr.arpa udp
US 8.8.8.8:53 247.214.133.107.in-addr.arpa udp
US 8.8.8.8:53 157.140.132.140.in-addr.arpa udp
US 8.8.8.8:53 134.22.220.148.in-addr.arpa udp
US 8.8.8.8:53 71.92.114.144.in-addr.arpa udp
US 8.8.8.8:53 31.110.231.144.in-addr.arpa udp
US 8.8.8.8:53 58.100.172.165.in-addr.arpa udp
US 8.8.8.8:53 62.191.136.170.in-addr.arpa udp
US 8.8.8.8:53 190.119.234.5.in-addr.arpa udp
US 8.8.8.8:53 9.1.214.106.in-addr.arpa udp
US 8.8.8.8:53 103.162.159.93.in-addr.arpa udp
US 8.8.8.8:53 43.254.246.173.in-addr.arpa udp
US 8.8.8.8:53 162.36.210.180.in-addr.arpa udp
US 8.8.8.8:53 200.26.11.176.in-addr.arpa udp
US 8.8.8.8:53 79.55.200.196.in-addr.arpa udp

Files

memory/4780-0-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\african cum action catfight boobs .mpg.exe

MD5 5d739facfb1e44276a657c2768d72f82
SHA1 eacdcf75be14d659532f4483b562f985f776c18b
SHA256 9491795689c665ee9276b7c6dbe8db17f07632295fcef9e60f5072b3e60adf79
SHA512 e52a6f54e15260257c3dc659f858e99495d8e54690c0784c47a5f7830d3a3b911f80f078ce7b89d0c49435dba0ddd4827ca2478632d7afdb19b0af4f1b5597d6

memory/2140-26-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2252-156-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4824-157-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4780-189-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2140-191-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2252-196-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4824-197-0x0000000000400000-0x000000000041E000-memory.dmp