Malware Analysis Report

2025-08-06 00:45

Sample ID 240403-xa7xwahf33
Target 0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930
SHA256 0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930
Tags
persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930

Threat Level: Known bad

The file 0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930 was found to be: Known bad.

Malicious Activity Summary

persistence spyware stealer

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX dump on OEP (original entry point)

Checks computer location settings

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 18:40

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 18:40

Reported

2024-04-03 18:42

Platform

win7-20240221-en

Max time kernel

154s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\FxsTmp\sperm lesbian licking boobs high heels .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\african porn cumshot hidden young (Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\gay sperm hot (!) young (Sonja).mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\IME\shared\cum fetish [bangbus] boobs Ôë .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\cum big .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\System32\DriverStore\Temp\african horse catfight .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\IME\shared\russian beastiality bukkake voyeur shoes (Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\horse lesbian several models feet castration (Sonja,Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\trambling hot (!) redhair (Liz,Anniston).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\canadian lesbian trambling [bangbus] upskirt (Gina,Sandy).zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\nude beast sleeping (Britney).avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\blowjob uncut upskirt (Britney,Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files\DVD Maker\Shared\tyrkish horse trambling [milf] stockings (Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files\Windows Journal\Templates\chinese horse catfight .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\horse xxx voyeur 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\french cumshot uncut young .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\danish trambling catfight .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\porn sleeping feet granny .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Google\Temp\tyrkish nude fetish public wifey (Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\xxx full movie titts circumcision .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\spanish horse beastiality uncut vagina blondie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\danish hardcore masturbation mistress .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\brasilian fucking several models ash girly .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\american lingerie bukkake girls circumcision (Jenna).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\french fetish kicking [free] ash redhair (Kathrin,Anniston).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\canadian cum action catfight legs .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\swedish fetish [milf] nipples granny .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\french lesbian girls (Jenna,Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\canadian nude horse hot (!) high heels .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\brasilian cum action catfight lady (Sandy).mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\Downloaded Program Files\asian sperm full movie titts blondie .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\spanish cumshot beastiality uncut gorgeoushorny (Jenna,Kathrin).avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\cum beast [bangbus] .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\fetish sleeping ¼ç .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\bukkake fucking licking (Sonja,Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\african xxx masturbation glans ejaculation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\canadian porn sperm [free] titts YEâPSè& (Kathrin,Sonja).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\russian porn sperm full movie black hairunshaved .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\horse public boots .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\blowjob sleeping (Melissa,Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\canadian sperm sleeping titts swallow .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\cum fucking [milf] cock latex .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\lingerie action uncut castration (Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\german cumshot hidden vagina sweet .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\nude catfight .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\chinese lingerie gay lesbian feet redhair .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\danish blowjob catfight boobs .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\british gay cum [bangbus] nipples black hairunshaved .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\lesbian animal voyeur legs (Sonja).zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\cumshot public (Kathrin).mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\beast horse lesbian penetration .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\beast trambling full movie .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\swedish beastiality animal [milf] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\bukkake big shoes (Gina,Sandy).mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\horse lesbian latex .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\gay horse [bangbus] YEâPSè& .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\beastiality lesbian licking latex .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\action trambling licking circumcision .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\indian animal lingerie hidden beautyfull .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\bukkake beast full movie circumcision .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\horse licking bondage .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\black cum catfight legs shower (Britney).zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\horse kicking big .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\action full movie penetration .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\spanish action action uncut latex .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\lesbian [milf] hole lady .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian xxx action public shower .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\cumshot cumshot girls feet circumcision (Christine,Sandy).mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\spanish action xxx big .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\action blowjob voyeur feet bondage (Janette,Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\danish lesbian handjob [milf] .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\security\templates\cumshot sleeping legs ìï (Kathrin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\german xxx licking ash hairy .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\spanish trambling girls feet hotel (Janette,Sandy).mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SoftwareDistribution\Download\malaysia action beastiality voyeur YEâPSè& .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\french fetish beastiality catfight ejaculation .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\norwegian handjob trambling [bangbus] .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\french gay [milf] (Janette,Sonja).zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\bukkake handjob [bangbus] upskirt (Melissa,Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\animal several models swallow .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\spanish kicking horse hidden (Samantha,Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\gay big titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\porn lingerie [bangbus] ejaculation (Britney).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\russian blowjob lingerie girls penetration (Britney,Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\fetish voyeur circumcision .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\german cumshot [milf] lady .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\action uncut blondie .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\hardcore [milf] .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 2144 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 2144 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 2144 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 2068 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 2068 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 2068 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 2068 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe

"C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe"

C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe

"C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe"

C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe

"C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 86.102.151.47.in-addr.arpa udp
US 8.8.8.8:53 112.56.25.168.in-addr.arpa udp
US 8.8.8.8:53 28.46.186.72.in-addr.arpa udp
US 8.8.8.8:53 69.124.50.42.in-addr.arpa udp
US 8.8.8.8:53 186.39.151.197.in-addr.arpa udp
US 8.8.8.8:53 232.238.140.216.in-addr.arpa udp
US 8.8.8.8:53 115.202.239.82.in-addr.arpa udp
US 8.8.8.8:53 15.196.38.131.in-addr.arpa udp
US 8.8.8.8:53 78.117.146.58.in-addr.arpa udp
US 8.8.8.8:53 7.160.75.27.in-addr.arpa udp
US 8.8.8.8:53 11.179.251.36.in-addr.arpa udp
US 8.8.8.8:53 194.206.37.175.in-addr.arpa udp
US 8.8.8.8:53 89.161.214.12.in-addr.arpa udp
US 8.8.8.8:53 174.176.86.81.in-addr.arpa udp
US 8.8.8.8:53 52.164.58.110.in-addr.arpa udp
US 8.8.8.8:53 249.75.239.90.in-addr.arpa udp

Files

memory/2144-0-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-5-0x0000000004A50000-0x0000000004A6C000-memory.dmp

memory/2068-6-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\danish hardcore masturbation mistress .mpeg.exe

MD5 570c8d81d9598a005d5161de45d8c03d
SHA1 9cf94f481bfb4522cbbabed7eeca803da9d6c63b
SHA256 f6bcaac2584d7ceae9564ac94ff2999912e8f7b755c337a7ac2d0b672d3b6ce7
SHA512 9d47560e089c4f5cffd1e44adcb06715401be8a207e6d35bd29e4a09b136de66f15dc038839cafa34c495316fb1478e290145f72ae0c64599f4416a2791e5cbc

memory/2068-53-0x00000000045A0000-0x00000000045BC000-memory.dmp

memory/2484-54-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-67-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2068-80-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-89-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-90-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-91-0x0000000004A50000-0x0000000004A6C000-memory.dmp

memory/2068-94-0x00000000045A0000-0x00000000045BC000-memory.dmp

memory/2144-95-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-98-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-101-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-105-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-110-0x0000000000400000-0x000000000041C000-memory.dmp

C:\debug.txt

MD5 c4c77a1d575703f34fdc812cb03a3d85
SHA1 ec8d857a9abaf49b8d9f885a1e9fd682e3cdc948
SHA256 d29bf559b68b76cbed639f36028b39f5bae2a962f9e9a1a87e69def708d6b538
SHA512 fd9a31f646d38eb2b74d0e639f8e706e99b69028e5307fa591414ce32098fcfe836b7afedaf94dcc76a794cf808440f90a1d443891814628ad0c31e859217fdf

memory/2144-121-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-124-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-127-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-130-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-135-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-138-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-141-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 18:40

Reported

2024-04-03 18:42

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\fucking lesbian glans 50+ (Ashley).avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\beast [free] blondie .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\hardcore blowjob [bangbus] (Sylvia,Christine).zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\action lesbian granny .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\norwegian animal lingerie uncut titts YEâPSè& (Karin,Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\lesbian masturbation feet stockings .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\beastiality action sleeping ¼ë .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\kicking full movie granny (Ashley).mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\spanish horse nude girls ash .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\spanish lingerie [bangbus] bondage .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\french blowjob cum girls titts 50+ .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\spanish beast full movie .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\malaysia animal cum [bangbus] traffic .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Google\Temp\canadian sperm bukkake [free] young .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\russian gang bang public YEâPSè& (Sonja).mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files\Common Files\microsoft shared\spanish horse beastiality uncut vagina blondie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\xxx full movie titts circumcision .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\blowjob uncut upskirt (Britney,Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\indian beastiality lesbian .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\nude action voyeur (Ashley).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\chinese horse catfight .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\danish hardcore masturbation mistress .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\porn sleeping feet granny .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\indian blowjob sperm [milf] .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{A22979E4-D188-4AF0-A888-04FE21284B11}\EDGEMITMP_19EA3.tmp\handjob lesbian big .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\bukkake gang bang voyeur hole latex .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\russian cumshot hardcore [bangbus] feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files\dotnet\shared\tyrkish horse trambling [milf] stockings (Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\nude beast sleeping (Britney).avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\tyrkish nude fetish public wifey (Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\american lingerie bukkake girls circumcision (Jenna).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\asian kicking hot (!) feet high heels .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\InputMethod\SHARED\african beast gang bang sleeping blondie .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\chinese beast hot (!) redhair .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\animal beastiality catfight .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\french fucking horse hidden boobs .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\spanish kicking public wifey .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\trambling hardcore several models sm .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\italian bukkake gang bang hot (!) lady (Samantha,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\nude hot (!) bondage .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\kicking [milf] lady .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\bukkake licking pregnant (Sandy,Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\american hardcore [milf] .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\gay cumshot hot (!) .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\kicking fetish masturbation ash .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\action [milf] shoes .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\russian animal [milf] boobs .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\porn kicking [free] pregnant (Britney).avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\french sperm animal several models shower (Tatjana,Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\fucking full movie penetration .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\fucking trambling [free] (Christine,Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\fucking sperm [milf] .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\japanese porn animal [free] high heels .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\french horse hidden .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\spanish bukkake public shoes .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\malaysia lesbian fucking catfight .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\black hardcore girls shower (Sonja).zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SoftwareDistribution\Download\bukkake fetish girls blondie .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\beastiality full movie bedroom .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\norwegian horse hot (!) titts circumcision .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\lingerie kicking masturbation hairy .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\assembly\temp\lesbian animal licking ash shower .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\danish porn lesbian boobs penetration .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\fetish big latex .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\british trambling public (Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\trambling girls femdom .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\brasilian sperm blowjob catfight 50+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\horse action [free] ash .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\british porn hardcore hidden gorgeoushorny .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\tyrkish blowjob beast sleeping .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\sperm lingerie lesbian .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\blowjob trambling sleeping .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\horse uncut nipples mature .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\fetish hardcore sleeping hole .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\italian action hidden sm .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\chinese gay porn licking .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\japanese kicking big hotel .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\fetish hidden vagina 50+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\beast nude [milf] sweet .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\cumshot handjob full movie (Sylvia,Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\danish trambling bukkake sleeping 40+ .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\malaysia fetish horse public .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\assembly\tmp\norwegian cumshot public wifey .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-composable-sharepicker_31bf3856ad364e35_10.0.19041.1_none_c87e96327faffd0e\brasilian horse lesbian shoes .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\canadian trambling [free] bondage .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\chinese sperm full movie boobs hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\german kicking hot (!) hole (Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\horse lesbian uncut legs wifey .mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\cum kicking [bangbus] .mpg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\porn lingerie catfight (Jenna).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\german nude blowjob full movie bedroom (Kathrin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\lesbian lesbian public granny (Liz,Kathrin).rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\lesbian public mature .zip.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\italian nude licking titts (Gina).avi.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\spanish nude horse several models .rar.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3384 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 3384 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 3384 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 3384 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 3384 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 3384 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 2336 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 2336 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe
PID 2336 wrote to memory of 3292 N/A C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe

"C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe"

C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe

"C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe"

C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe

"C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe"

C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe

"C:\Users\Admin\AppData\Local\Temp\0ebfc416ec6c16040cc766e8826cc19b67bd56ee65132eda5377abe7a4c5d930.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 218.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/3384-0-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\danish hardcore masturbation mistress .mpeg.exe

MD5 570c8d81d9598a005d5161de45d8c03d
SHA1 9cf94f481bfb4522cbbabed7eeca803da9d6c63b
SHA256 f6bcaac2584d7ceae9564ac94ff2999912e8f7b755c337a7ac2d0b672d3b6ce7
SHA512 9d47560e089c4f5cffd1e44adcb06715401be8a207e6d35bd29e4a09b136de66f15dc038839cafa34c495316fb1478e290145f72ae0c64599f4416a2791e5cbc

memory/3384-11-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3292-12-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2336-41-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3384-42-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3384-126-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4252-130-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3292-132-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3384-159-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3384-176-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3384-180-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3384-186-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3384-204-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3384-209-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3384-212-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3384-216-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3384-220-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3384-224-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3384-229-0x0000000000400000-0x000000000041C000-memory.dmp