Malware Analysis Report

2024-11-15 06:07

Sample ID 240407-yjsd8adb94
Target 2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a
SHA256 2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a

Threat Level: Known bad

The file 2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX dump on OEP (original entry point)

Checks computer location settings

Reads user/profile data of web browsers

UPX packed file

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:49

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:49

Reported

2024-04-07 19:51

Platform

win7-20240319-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\danish fetish beast uncut boots .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\russian cum lesbian masturbation feet sweet .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\IME\shared\lesbian licking hole .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\bukkake hidden upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\indian beastiality fucking catfight .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\italian kicking lingerie catfight (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\IME\shared\brasilian handjob fucking voyeur feet penetration (Sarah).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian kicking sperm lesbian blondie .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\System32\DriverStore\Temp\danish animal sperm voyeur hole mistress .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\horse sperm public 40+ .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\swedish animal blowjob sleeping (Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\american handjob fucking hidden cock .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\hardcore catfight shower (Anniston,Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\fucking [free] ash (Christine,Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\american horse hardcore full movie .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Google\Temp\sperm several models hole .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\danish cumshot lingerie catfight traffic (Ashley,Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\gay lesbian shower .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\horse voyeur .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\italian action lesbian public pregnant .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\american horse trambling big girly .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\danish action xxx [free] feet mistress (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\brasilian fetish lingerie uncut cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\tyrkish cum bukkake hidden wifey .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files\Windows Journal\Templates\brasilian horse fucking big (Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\lesbian big hole (Anniston,Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\spanish xxx public YEâPSè& .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\asian xxx big cock boots .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\fucking hidden hole gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\horse xxx hidden upskirt .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\german sperm public upskirt .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\tyrkish kicking xxx lesbian feet .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\asian sperm hidden stockings .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\lesbian masturbation .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\gang bang trambling voyeur glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\action horse [free] .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\italian beastiality lesbian catfight (Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\blowjob [milf] cock .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\russian handjob horse licking balls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SoftwareDistribution\Download\american animal horse catfight high heels .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\canadian xxx voyeur YEâPSè& .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\spanish fucking masturbation hole (Sonja,Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\chinese sperm full movie mature .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\fucking masturbation .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\african gay [free] wifey .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\russian handjob bukkake licking boots .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\danish kicking hardcore masturbation cock .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\trambling full movie .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\swedish kicking lesbian [milf] .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\black kicking sperm big feet 40+ (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\chinese trambling uncut pregnant .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\cumshot gay licking latex (Christine,Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\swedish nude hardcore public .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\danish porn bukkake [bangbus] glans girly .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\lingerie several models titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\horse lesbian hole .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\norwegian horse [free] feet circumcision .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\british fucking uncut lady .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\fetish xxx voyeur feet castration .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\beastiality blowjob licking traffic .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\nude trambling masturbation cock swallow .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\japanese fetish fucking girls mistress .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\xxx uncut leather (Sonja,Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\malaysia lesbian hidden glans balls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\assembly\temp\american porn horse uncut titts .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\spanish lingerie [free] .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\norwegian lesbian masturbation (Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\russian cumshot sperm several models castration .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\russian animal beast uncut hole .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\InstallTemp\lingerie voyeur glans .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\Temp\japanese beastiality bukkake hot (!) gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\Downloaded Program Files\indian kicking trambling hidden fishy (Gina,Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\swedish cum gay [bangbus] .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\italian action lesbian several models .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\trambling uncut .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\PLA\Templates\lingerie sleeping hole lady (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\french blowjob uncut feet 40+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\asian gay girls glans .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\indian nude horse hot (!) cock .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\gay hidden hole mistress .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\german horse [free] .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\security\templates\swedish action lingerie masturbation (Sarah).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\fetish hardcore catfight swallow (Christine,Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\german fucking catfight (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\lesbian catfight ash .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\black horse trambling licking (Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\norwegian blowjob lesbian swallow .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\indian animal beast full movie cock .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\xxx lesbian titts .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 2276 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 2276 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 2276 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 2512 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 2512 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 2512 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 2512 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe

"C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe"

C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe

"C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe"

C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe

"C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 125.34.68.209.in-addr.arpa udp
US 8.8.8.8:53 59.235.221.170.in-addr.arpa udp
US 8.8.8.8:53 242.22.17.16.in-addr.arpa udp
US 8.8.8.8:53 152.119.6.98.in-addr.arpa udp
US 8.8.8.8:53 5.57.15.247.in-addr.arpa udp
US 8.8.8.8:53 178.9.216.206.in-addr.arpa udp
US 8.8.8.8:53 9.129.173.20.in-addr.arpa udp
US 8.8.8.8:53 72.135.185.192.in-addr.arpa udp
US 8.8.8.8:53 129.137.120.161.in-addr.arpa udp
US 8.8.8.8:53 93.15.108.241.in-addr.arpa udp
US 8.8.8.8:53 38.10.172.58.in-addr.arpa udp
US 8.8.8.8:53 129.149.82.70.in-addr.arpa udp
US 8.8.8.8:53 89.64.34.41.in-addr.arpa udp
US 8.8.8.8:53 240.96.123.168.in-addr.arpa udp
US 8.8.8.8:53 80.136.70.74.in-addr.arpa udp
US 8.8.8.8:53 3.100.38.226.in-addr.arpa udp
US 8.8.8.8:53 127.49.152.240.in-addr.arpa udp
US 8.8.8.8:53 112.116.64.61.in-addr.arpa udp
US 8.8.8.8:53 197.54.118.160.in-addr.arpa udp
US 8.8.8.8:53 174.92.129.207.in-addr.arpa udp
US 8.8.8.8:53 64.199.226.137.in-addr.arpa udp
US 8.8.8.8:53 29.152.203.139.in-addr.arpa udp
US 8.8.8.8:53 171.72.20.230.in-addr.arpa udp
US 8.8.8.8:53 17.134.158.149.in-addr.arpa udp
US 8.8.8.8:53 223.109.65.231.in-addr.arpa udp

Files

memory/2276-0-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\american handjob fucking hidden cock .avi.exe

MD5 e27dfeb16260da7f24632bde0858ae20
SHA1 434004a0e075eeb1f44e49d8dc1910248adf3a4d
SHA256 37d0bb883c9c5a6367513ec7b44482cdfb35b2ebfac21b368edaaf59c3de7a11
SHA512 d6ad99ff9c627d6875667ac61050a748df6345a5bfd09902616623a0b71b9815ad5ddfde7c5dc195d422cd451b724a7a3b033b689273a723c5a643bb118dea9e

memory/2512-20-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2512-59-0x0000000004900000-0x0000000004920000-memory.dmp

memory/1996-61-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2276-93-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2276-95-0x00000000056C0000-0x00000000056E0000-memory.dmp

memory/2512-97-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2512-98-0x0000000004900000-0x0000000004920000-memory.dmp

memory/1996-101-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:49

Reported

2024-04-07 19:52

Platform

win10v2004-20240226-en

Max time kernel

161s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\italian fetish hardcore lesbian hole .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\indian action trambling public YEâPSè& (Jenna,Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\american gang bang bukkake catfight .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\lesbian voyeur wifey .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\brasilian porn lesbian hot (!) cock (Sonja,Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\lingerie hidden hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\hardcore hot (!) castration .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\System32\DriverStore\Temp\danish action beast public titts bondage .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\fetish hardcore full movie .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\black animal sperm catfight swallow .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\bukkake sleeping swallow .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\japanese animal beast [free] castration .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\tyrkish cumshot trambling public balls .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\lesbian [milf] gorgeoushorny .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Google\Temp\tyrkish cumshot lesbian hidden cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files\dotnet\shared\blowjob hot (!) hole (Sandy,Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\gay lesbian hole .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\indian nude horse hot (!) black hairunshaved .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\horse uncut hole .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\lingerie lesbian .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\indian gang bang lingerie several models titts circumcision .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{1FAC69E2-6A78-4418-8957-20DE7094BB95}\EDGEMITMP_86547.tmp\lingerie voyeur feet girly .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files\Common Files\microsoft shared\trambling [milf] fishy .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\fucking [free] castration .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\russian fetish fucking [free] hole YEâPSè& .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\malaysia fucking several models .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\danish action xxx big black hairunshaved .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\tyrkish horse lingerie uncut hole mature .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\black horse gay voyeur .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\japanese handjob beast [milf] circumcision .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\beast [free] ejaculation .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\canadian horse [milf] 50+ .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\porn blowjob girls cock hairy .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\cum lesbian masturbation (Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\action blowjob licking .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\swedish action trambling public hole (Ashley,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\german hardcore big glans upskirt .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\russian cumshot fucking licking (Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\kicking lingerie public .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\german horse full movie cock lady .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\kicking gay masturbation titts .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\malaysia hardcore [milf] (Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\horse trambling full movie (Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\canadian lesbian voyeur ejaculation .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\chinese gay hidden cock latex (Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\beast licking .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\french fucking several models black hairunshaved .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\bukkake several models (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\danish porn xxx girls titts wifey (Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\canadian gay sleeping titts pregnant (Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\asian gay public ash .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\spanish beast licking .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\brasilian horse gay [bangbus] bondage .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\gay big hole .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\norwegian gay hot (!) titts pregnant .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\french trambling uncut hotel .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\norwegian beast lesbian .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\brasilian horse beast [milf] mature (Sandy,Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\british fucking full movie cock YEâPSè& .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\cum trambling hidden .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\german gay sleeping hairy .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\asian lingerie girls redhair (Kathrin,Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\spanish xxx big hole ejaculation .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\nude fucking hidden hole upskirt (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\horse hardcore [milf] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\gay uncut .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\norwegian lesbian licking granny (Sonja,Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\beast full movie .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\french hardcore hidden sm .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\canadian trambling [bangbus] hole latex .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\japanese fetish gay [milf] cock mature (Sarah).avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\indian gang bang blowjob [milf] lady (Sonja,Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\german lingerie [milf] titts upskirt (Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\chinese gay public pregnant (Jenna,Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\african bukkake hidden .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\gang bang hardcore catfight titts castration (Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\asian blowjob [milf] glans fishy (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\action horse girls feet ash (Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\danish kicking hardcore public (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\asian fucking sleeping ash .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\InstallTemp\french hardcore full movie hairy .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\french blowjob voyeur glans young .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\hardcore public leather .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\black horse hardcore catfight cock pregnant .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\fetish beast hot (!) upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\bukkake full movie (Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\japanese beastiality gay [bangbus] titts (Christine,Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\Downloaded Program Files\italian cumshot horse public cock blondie .rar.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\lingerie full movie glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\porn xxx lesbian balls .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\action blowjob hidden castration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\kicking blowjob big balls .mpg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\assembly\tmp\italian nude fucking masturbation (Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\canadian hardcore licking YEâPSè& .mpeg.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\gang bang beast licking Ôï .avi.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4024 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 4024 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 4024 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 4024 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 4024 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 4024 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 4144 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 4144 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe
PID 4144 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe

"C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe"

C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe

"C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe"

C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe

"C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe"

C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe

"C:\Users\Admin\AppData\Local\Temp\2ee5b6ef052ef91e4270fd880574a49a87eed7a65a4a121429d29279622f242a.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2260,i,9938964625802268469,1928462186077019554,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.74.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.74.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 57.50.78.250.in-addr.arpa udp
US 8.8.8.8:53 144.235.230.197.in-addr.arpa udp
US 8.8.8.8:53 161.170.152.150.in-addr.arpa udp
US 8.8.8.8:53 177.147.178.71.in-addr.arpa udp
US 8.8.8.8:53 185.156.115.47.in-addr.arpa udp
US 8.8.8.8:53 220.10.100.124.in-addr.arpa udp

Files

memory/4024-0-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\gay lesbian hole .avi.exe

MD5 881277c33dc69f8b227ee1595d669042
SHA1 6726ca39c36d4bd351e550e93b749c8e1d3edf89
SHA256 9513943dd590585f8f9b3d70c076949be7714f51dda03dab8da0d7447e14c4c7
SHA512 41d2af6e30bd7d3da7b03df7d1349c6c05515c99d41f82a22239b1a5ac30f382069aff4f3c01dc283b27348a746a16487473796e405894ecaa878fa0d9ff7409

memory/4144-21-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4236-41-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2204-53-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4024-191-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4144-193-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4236-196-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2204-197-0x0000000000400000-0x0000000000420000-memory.dmp

C:\debug.txt

MD5 22de839b01ab1a878cc7d5ec8b3ad5a7
SHA1 6c59d726dc67ee41cf6066bb6659db06281adf01
SHA256 c800b9e4b835129e14cc0432578320dc97b21ad5d98d05435f19b6a930f99451
SHA512 8def94f94d3816c0084ee3400c033c3e9ab13e1047b40aae7af576eb67bb1ce7b39152a39f0bb4849e132637191c37fd63be724f6cf1ae643855bae9b5907724