Malware Analysis Report

2024-11-30 04:13

Sample ID 240408-a6ws6abg79
Target ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c
SHA256 ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c

Threat Level: Known bad

The file ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 00:50

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 00:50

Reported

2024-04-08 00:52

Platform

win7-20240221-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IME\shared\danish beastiality public sweet .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\lesbian action uncut glans .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\IME\shared\tyrkish fucking uncut .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\canadian cumshot nude sleeping penetration .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\african gay big .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\black fetish fetish [bangbus] .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\cum lesbian (Kathrin,Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\fetish blowjob girls ìï .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\brasilian trambling sleeping boobs (Sonja,Gina).mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\System32\DriverStore\Temp\malaysia blowjob sleeping upskirt (Ashley,Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Temp\asian lesbian gay [bangbus] (Curtney,Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\sperm cum catfight gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\african bukkake lesbian titts ejaculation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\french nude [bangbus] shower (Anniston).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\handjob lesbian .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files\DVD Maker\Shared\tyrkish action beastiality sleeping beautyfull .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files\Windows Journal\Templates\danish lingerie porn lesbian 40+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\american handjob catfight (Sonja,Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\russian cumshot trambling hidden girly .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\asian kicking several models nipples hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\bukkake blowjob hot (!) fishy (Gina,Gina).zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\norwegian cumshot lingerie uncut upskirt .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\norwegian xxx hardcore lesbian boots (Curtney,Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\american trambling catfight vagina .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\italian action big (Janette,Sonja).mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\swedish cum gay [bangbus] vagina leather .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\canadian gang bang lesbian sleeping fishy .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\british nude action sleeping stockings .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SoftwareDistribution\Download\blowjob masturbation (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\tyrkish beast [free] 50+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\russian beast hardcore public bondage .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\black horse hardcore voyeur wifey .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\asian horse kicking sleeping (Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\horse several models fishy (Janette,Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\danish lesbian bukkake catfight girly .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\indian sperm nude catfight ash .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\gang bang [free] .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\tyrkish action cumshot girls glans sm .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\brasilian handjob lingerie uncut sm .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\Downloaded Program Files\swedish fucking nude girls leather .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\african action [bangbus] 40+ .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\beastiality gang bang licking .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\spanish cumshot sleeping wifey (Tatjana,Kathrin).mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\trambling fetish several models balls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\american hardcore fucking lesbian .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\indian sperm horse [bangbus] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\horse catfight black hairunshaved (Ashley).zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\indian sperm lingerie sleeping nipples stockings (Curtney,Sonja).zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\canadian sperm handjob voyeur young .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\norwegian blowjob gang bang girls (Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\lesbian [free] bondage .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\brasilian trambling sleeping high heels .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\handjob public (Sandy,Sandy).rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\asian gay xxx hidden mistress (Sandy,Karin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\tyrkish gay catfight titts .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\german action beastiality full movie (Karin,Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\malaysia beastiality beastiality [free] .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\danish cum handjob uncut hotel (Jenna,Ashley).zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\horse girls ash granny .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\asian xxx cumshot several models .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\cum hidden balls .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\russian gang bang uncut hole bedroom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\kicking uncut glans fishy .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\lesbian licking bondage (Jade,Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\german gay big cock wifey (Melissa,Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\lesbian horse big YEâPSè& (Christine,Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\british lesbian girls YEâPSè& (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\canadian fetish xxx masturbation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\black handjob bukkake public .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\kicking fucking hidden sweet .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\chinese fetish animal catfight .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\american blowjob blowjob uncut .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\porn public (Sandy).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\norwegian xxx beastiality uncut nipples (Sarah,Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\canadian blowjob horse hot (!) boobs pregnant (Liz,Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\american beastiality licking vagina (Sonja).rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\japanese kicking action several models gorgeoushorny (Karin,Jenna).rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\canadian fetish catfight YEâPSè& .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\PLA\Templates\handjob lingerie hot (!) bondage .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\beastiality fetish public hole .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\trambling horse full movie blondie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\asian nude blowjob full movie .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\animal fucking sleeping penetration .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\japanese bukkake public .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\asian blowjob blowjob [milf] (Sandy).mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\french kicking catfight penetration .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\russian fucking hot (!) legs young (Samantha,Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\american lingerie catfight glans (Curtney,Christine).mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\security\templates\cumshot fetish licking penetration .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe
PID 2860 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe
PID 2860 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe
PID 2860 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe
PID 2488 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe
PID 2488 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe
PID 2488 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe
PID 2488 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe

"C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe"

C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe

"C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe"

C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe

"C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 96.99.130.249.in-addr.arpa udp
US 8.8.8.8:53 15.212.22.203.in-addr.arpa udp
US 8.8.8.8:53 175.248.222.117.in-addr.arpa udp
US 8.8.8.8:53 33.99.87.31.in-addr.arpa udp
US 8.8.8.8:53 227.224.124.225.in-addr.arpa udp
US 8.8.8.8:53 75.48.162.5.in-addr.arpa udp
US 8.8.8.8:53 96.119.13.15.in-addr.arpa udp
US 8.8.8.8:53 15.68.91.240.in-addr.arpa udp
US 8.8.8.8:53 161.212.132.13.in-addr.arpa udp
US 8.8.8.8:53 32.63.250.90.in-addr.arpa udp
US 8.8.8.8:53 195.171.2.59.in-addr.arpa udp
US 8.8.8.8:53 96.42.169.114.in-addr.arpa udp
US 8.8.8.8:53 89.104.193.117.in-addr.arpa udp
US 8.8.8.8:53 167.131.106.238.in-addr.arpa udp
US 8.8.8.8:53 243.4.185.187.in-addr.arpa udp
US 8.8.8.8:53 77.91.51.213.in-addr.arpa udp
US 8.8.8.8:53 107.179.181.38.in-addr.arpa udp
US 8.8.8.8:53 137.144.176.199.in-addr.arpa udp
US 8.8.8.8:53 120.184.215.127.in-addr.arpa udp
US 8.8.8.8:53 187.200.247.89.in-addr.arpa udp
US 8.8.8.8:53 119.209.115.75.in-addr.arpa udp
US 8.8.8.8:53 204.16.167.182.in-addr.arpa udp
US 8.8.8.8:53 1.11.126.231.in-addr.arpa udp

Files

memory/2860-0-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\american handjob catfight (Sonja,Tatjana).zip.exe

MD5 389478cda8298f222fd93f3ba3206aec
SHA1 4b7bde5fcc0722a71e6b039961eba16ab6c741dc
SHA256 f2c3ff478acc3fe2b46e2d52ee4df33cc5e640bd5d86b2ad933f7da42fda31a0
SHA512 39b5aa9c9b6ae7bfd6021036471589dfad89e1b040a26b00cb0d7089dd2442ab40d5a9d4d9eaf24a30b3c311059838f579a4f09bd1a7fab997e2ac942f2291c9

memory/2860-15-0x0000000004B40000-0x0000000004B5D000-memory.dmp

memory/2488-16-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2488-58-0x0000000004510000-0x000000000452D000-memory.dmp

memory/2396-59-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2860-96-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2860-98-0x0000000004B40000-0x0000000004B5D000-memory.dmp

memory/2488-99-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2488-100-0x0000000004510000-0x000000000452D000-memory.dmp

C:\debug.txt

MD5 08f20fa3544cd03ad77e196b8e29500b
SHA1 825f7a2c3b0c8b78e0053cb854a270dca23d73b3
SHA256 841ad590d83802e1796c5219d003456020b39319ad94337ac4c5e143e899da77
SHA512 4e2828104b52ee8f5befd02e4c9c7f39b881b93bd4a7abdea6566b9a213e708f0185841ce6d6e6da6e6af20aaed5d04166ee4a7469d4fdca7c260ab86b6bbb13

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 00:50

Reported

2024-04-08 00:52

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\american sperm sleeping (Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\gay fucking several models mature .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\beastiality [bangbus] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\british sperm uncut penetration .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\chinese handjob beastiality catfight (Sonja,Karin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\asian lingerie hidden cock hairy .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\american animal lesbian titts YEâPSè& (Sonja,Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\fetish nude sleeping young .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\chinese bukkake fucking several models blondie (Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\cumshot voyeur .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\beastiality uncut .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\african xxx gay several models (Ashley,Janette).mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Temp\horse horse catfight legs granny .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files\Common Files\microsoft shared\brasilian gang bang lesbian .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\nude sperm [bangbus] blondie (Curtney,Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\asian action horse lesbian gorgeoushorny .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\african blowjob licking nipples bedroom (Anniston).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files\dotnet\shared\malaysia horse horse sleeping glans .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\canadian horse big shoes .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\horse fucking sleeping (Sandy).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\french horse hardcore girls vagina .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\horse big blondie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\spanish handjob cum sleeping nipples upskirt .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian bukkake big latex .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\chinese cumshot horse sleeping .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\norwegian hardcore fetish full movie titts (Sarah,Anniston).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\swedish horse beastiality [milf] hole .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\canadian handjob masturbation young .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\brasilian nude voyeur feet .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\gay licking young (Anniston,Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\animal hot (!) mature (Sandy,Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\chinese porn nude catfight .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\fucking lesbian .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\InstallTemp\porn lesbian boobs castration .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\tyrkish cum lesbian [milf] titts high heels .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\canadian horse cumshot [milf] balls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\indian lesbian lesbian balls .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\swedish gay voyeur cock lady (Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\chinese kicking gay big .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\hardcore bukkake lesbian ash redhair (Tatjana,Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\nude gang bang big femdom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\beast handjob hot (!) feet 40+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\blowjob [free] cock (Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\cum catfight beautyfull .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\black horse gang bang several models .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bukkake fetish uncut leather .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\trambling fetish lesbian cock fishy .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\tyrkish horse [milf] blondie .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\cum big vagina .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\xxx hardcore licking (Samantha,Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\japanese trambling gang bang [free] hotel .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\blowjob lingerie several models glans .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\russian porn hot (!) granny .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\spanish nude hidden boobs wifey .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\norwegian beastiality catfight gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\british fetish public balls .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\tyrkish horse fucking masturbation Ôï .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\spanish beastiality hardcore hidden black hairunshaved .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\british gang bang masturbation legs boots .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\beastiality lesbian lesbian .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\assembly\tmp\italian sperm voyeur nipples (Karin,Sonja).mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\swedish cumshot gang bang full movie .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\indian lingerie masturbation .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\indian xxx [milf] vagina shower .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\kicking [milf] bondage .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\norwegian trambling horse hidden sm (Ashley,Anniston).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\beastiality uncut Ôï .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\chinese action action voyeur sweet .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\horse licking high heels (Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\black beast public redhair .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\gay gang bang full movie .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\asian hardcore lesbian castration .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\norwegian lesbian cumshot uncut shoes .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_b53f8b98f2b3a373\hardcore blowjob [milf] .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\beast horse several models hole boots .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\swedish handjob trambling several models fishy (Sandy,Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\black beastiality xxx catfight hairy .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.746_none_822bf1ada1526fa8\beastiality kicking big boobs swallow .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\handjob porn hot (!) YEâPSè& .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\horse lesbian masturbation .mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\beast lesbian .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\sperm bukkake [free] boobs bedroom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\indian xxx big legs mature .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\british kicking voyeur YEâPSè& .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\french cumshot hidden sm .zip.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\InputMethod\SHARED\danish animal [free] nipples .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\beast fetish lesbian 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\danish kicking beastiality uncut .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\norwegian cumshot girls vagina penetration (Sandy,Jenna).avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\asian cumshot action masturbation .rar.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\indian trambling kicking hidden ash .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\danish fucking big Ôï (Britney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\german fetish sleeping .avi.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\malaysia cumshot hardcore girls wifey (Sandy).mpg.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2764 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe
PID 2764 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe
PID 2764 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe
PID 2828 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe
PID 2828 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe
PID 2828 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe

"C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe"

C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe

"C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe"

C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe

"C:\Users\Admin\AppData\Local\Temp\ba54a9ad4088306222b0227e1d170eb7f86bbfc749eef50603756d2921b5007c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
NL 72.246.173.187:80 www.microsoft.com tcp
US 8.8.8.8:53 187.173.246.72.in-addr.arpa udp
NL 72.246.173.187:80 www.microsoft.com tcp
US 8.8.8.8:53 112.13.186.128.in-addr.arpa udp
US 8.8.8.8:53 82.156.140.34.in-addr.arpa udp
US 8.8.8.8:53 241.102.22.100.in-addr.arpa udp
US 8.8.8.8:53 88.39.213.129.in-addr.arpa udp
US 8.8.8.8:53 94.206.228.141.in-addr.arpa udp
US 8.8.8.8:53 72.97.197.110.in-addr.arpa udp
US 8.8.8.8:53 241.200.4.5.in-addr.arpa udp
US 8.8.8.8:53 52.57.168.172.in-addr.arpa udp
US 8.8.8.8:53 197.239.52.59.in-addr.arpa udp
US 8.8.8.8:53 166.57.62.28.in-addr.arpa udp
US 8.8.8.8:53 137.104.172.134.in-addr.arpa udp
US 8.8.8.8:53 135.250.209.48.in-addr.arpa udp
US 8.8.8.8:53 243.87.126.62.in-addr.arpa udp
US 8.8.8.8:53 94.64.96.57.in-addr.arpa udp
US 8.8.8.8:53 43.151.118.142.in-addr.arpa udp
US 8.8.8.8:53 146.78.245.147.in-addr.arpa udp
US 8.8.8.8:53 103.167.240.145.in-addr.arpa udp
US 8.8.8.8:53 181.19.129.103.in-addr.arpa udp
US 8.8.8.8:53 108.203.135.56.in-addr.arpa udp
US 8.8.8.8:53 95.25.213.89.in-addr.arpa udp
US 8.8.8.8:53 72.203.161.161.in-addr.arpa udp
US 8.8.8.8:53 142.179.72.84.in-addr.arpa udp
US 8.8.8.8:53 63.176.52.144.in-addr.arpa udp
US 8.8.8.8:53 72.73.101.64.in-addr.arpa udp
US 8.8.8.8:53 80.14.7.67.in-addr.arpa udp
US 8.8.8.8:53 231.225.248.254.in-addr.arpa udp
US 8.8.8.8:53 225.68.169.56.in-addr.arpa udp
US 8.8.8.8:53 219.129.248.196.in-addr.arpa udp
US 8.8.8.8:53 250.40.186.214.in-addr.arpa udp
US 8.8.8.8:53 39.225.35.49.in-addr.arpa udp
US 8.8.8.8:53 117.180.144.14.in-addr.arpa udp
US 8.8.8.8:53 252.38.226.244.in-addr.arpa udp
US 8.8.8.8:53 37.63.117.127.in-addr.arpa udp
US 8.8.8.8:53 248.113.197.157.in-addr.arpa udp
US 8.8.8.8:53 73.255.46.208.in-addr.arpa udp
US 8.8.8.8:53 92.165.177.120.in-addr.arpa udp
US 8.8.8.8:53 193.40.91.61.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 121.236.159.211.in-addr.arpa udp
US 8.8.8.8:53 134.184.240.53.in-addr.arpa udp
US 8.8.8.8:53 102.62.118.167.in-addr.arpa udp
US 8.8.8.8:53 100.4.141.13.in-addr.arpa udp
US 8.8.8.8:53 178.239.6.126.in-addr.arpa udp
US 8.8.8.8:53 203.233.24.19.in-addr.arpa udp
US 8.8.8.8:53 101.242.176.133.in-addr.arpa udp
US 8.8.8.8:53 248.178.113.179.in-addr.arpa udp
US 8.8.8.8:53 116.231.255.142.in-addr.arpa udp
US 8.8.8.8:53 190.239.14.108.in-addr.arpa udp
US 8.8.8.8:53 147.10.10.201.in-addr.arpa udp
US 8.8.8.8:53 98.49.190.211.in-addr.arpa udp
US 8.8.8.8:53 172.117.33.199.in-addr.arpa udp
US 8.8.8.8:53 166.152.247.68.in-addr.arpa udp
US 8.8.8.8:53 151.127.47.28.in-addr.arpa udp
US 8.8.8.8:53 189.194.83.51.in-addr.arpa udp
US 8.8.8.8:53 10.146.108.143.in-addr.arpa udp
US 8.8.8.8:53 226.44.188.232.in-addr.arpa udp
US 8.8.8.8:53 187.4.76.31.in-addr.arpa udp
US 8.8.8.8:53 102.16.16.143.in-addr.arpa udp
US 8.8.8.8:53 18.86.34.52.in-addr.arpa udp
US 8.8.8.8:53 140.210.139.16.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 32.100.206.229.in-addr.arpa udp
US 8.8.8.8:53 2.135.66.250.in-addr.arpa udp
US 8.8.8.8:53 163.134.163.203.in-addr.arpa udp

Files

memory/2764-0-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian bukkake big latex .avi.exe

MD5 3c6f38265534341ed2f817b3587111c2
SHA1 94f50cfa5dd505f629bdd4148956e4957c2adc0d
SHA256 e69522e7cdb7fff758a3fb556d1b3648d7665a8a621b595ec6475cddb478ebc8
SHA512 a89449764cd6a427eab47e5c03487e183ab67dfa9befc32c1b88e4290f50650a72a276c06ccef8d4726be5aba573020d0216b2e1bf05eaaf5b378277cbbd527a

memory/2828-44-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4556-161-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2764-190-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2828-194-0x0000000000400000-0x000000000041D000-memory.dmp

memory/4556-195-0x0000000000400000-0x000000000041D000-memory.dmp