Malware Analysis Report

2025-08-06 00:45

Sample ID 240403-xhsg6ahe5t
Target 1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd
SHA256 1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd

Threat Level: Known bad

The file 1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX dump on OEP (original entry point)

Checks computer location settings

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 18:51

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 18:51

Reported

2024-04-03 18:54

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IME\shared\italian fetish trambling masturbation boots .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\indian fetish fucking voyeur (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\blowjob full movie (Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\System32\DriverStore\Temp\japanese fetish trambling several models (Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\gay public (Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\italian fetish beast girls .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\german trambling hot (!) .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\IME\shared\horse sleeping glans young .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\indian gang bang bukkake lesbian titts .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\tyrkish gang bang sperm uncut YEâPSè& .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\gay hot (!) wifey .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\horse [bangbus] .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Google\Temp\danish cum horse [bangbus] stockings (Anniston,Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\swedish nude bukkake girls feet circumcision .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\handjob lesbian catfight glans (Jenna,Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files\Windows Journal\Templates\fucking voyeur hole .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\swedish horse lesbian licking .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\indian nude trambling [bangbus] YEâPSè& (Gina,Sarah).avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\russian porn lingerie licking .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\italian cum lingerie several models hole wifey (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\gay licking cock girly .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files\DVD Maker\Shared\lesbian [bangbus] (Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\japanese cum beast catfight feet .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\swedish kicking hardcore licking (Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\black porn hardcore sleeping titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\porn beast [bangbus] (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\spanish sperm public feet wifey .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\xxx [bangbus] titts .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\norwegian xxx licking hole (Anniston,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\action sperm lesbian .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\lesbian licking (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\british hardcore full movie girly (Anniston,Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\african sperm hidden titts granny (Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\cum lesbian girls 50+ (Anniston,Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\british gay licking .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\lingerie hot (!) cock penetration (Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\cumshot beast masturbation titts pregnant .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\tyrkish action hardcore uncut .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\japanese handjob hardcore [bangbus] glans .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\italian animal trambling uncut feet traffic .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\tyrkish porn gay hot (!) fishy (Ashley,Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\canadian blowjob [bangbus] (Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\porn sperm [milf] titts beautyfull .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\bukkake big titts shower .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\german lesbian [milf] .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\german xxx [milf] (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\black gang bang lingerie [free] glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\chinese fucking voyeur swallow .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\american gang bang bukkake licking feet ash .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\norwegian fucking sleeping ìï (Ashley,Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\african xxx [milf] pregnant (Sandy,Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\blowjob [free] high heels (Sonja,Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\assembly\temp\lingerie lesbian feet .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\indian cum xxx hidden ash .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\malaysia trambling [milf] shoes .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\african trambling lesbian .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\asian trambling several models upskirt (Ashley,Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\chinese trambling girls .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\french hardcore lesbian feet hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\lesbian uncut titts beautyfull .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\french beast uncut cock sweet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\cum bukkake girls hotel .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\asian lingerie masturbation cock ash (Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\Temp\indian animal lesbian masturbation glans .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\german xxx masturbation wifey .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\spanish bukkake [bangbus] mistress .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\cum beast catfight hole (Sandy,Janette).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\british beast lesbian 50+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\norwegian xxx [milf] hotel .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\swedish kicking blowjob masturbation cock boots (Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\beastiality bukkake hot (!) YEâPSè& (Sonja,Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\tyrkish handjob beast [free] swallow .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\cum lingerie public .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\spanish hardcore several models shower .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\brasilian gang bang lesbian girls granny .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\danish horse sperm full movie glans mistress (Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\handjob horse hot (!) .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\PLA\Templates\indian fetish trambling licking (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\russian animal hardcore hot (!) pregnant (Sonja,Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\action hardcore public (Janette).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\indian animal hardcore [milf] titts boots (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\canadian xxx public (Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\hardcore masturbation (Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\malaysia beast several models beautyfull .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\malaysia lesbian voyeur hole hotel (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\british beast [free] feet beautyfull .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\tyrkish kicking sperm hot (!) glans YEâPSè& (Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\porn lingerie sleeping .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\italian handjob bukkake girls (Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 1912 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 1912 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 1912 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 2360 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 2360 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 2360 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 2360 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe

"C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe"

C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe

"C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe"

C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe

"C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 66.240.70.76.in-addr.arpa udp
US 8.8.8.8:53 135.113.87.141.in-addr.arpa udp
US 8.8.8.8:53 25.131.233.236.in-addr.arpa udp
US 8.8.8.8:53 153.223.232.158.in-addr.arpa udp
US 8.8.8.8:53 234.120.165.38.in-addr.arpa udp
US 8.8.8.8:53 234.80.46.252.in-addr.arpa udp
US 8.8.8.8:53 11.141.167.2.in-addr.arpa udp
US 8.8.8.8:53 146.165.187.138.in-addr.arpa udp
US 8.8.8.8:53 76.105.226.224.in-addr.arpa udp
US 8.8.8.8:53 56.58.75.159.in-addr.arpa udp
US 8.8.8.8:53 197.33.93.53.in-addr.arpa udp
US 8.8.8.8:53 91.72.29.7.in-addr.arpa udp
US 8.8.8.8:53 238.230.212.55.in-addr.arpa udp
US 8.8.8.8:53 154.58.55.114.in-addr.arpa udp
US 8.8.8.8:53 101.58.59.219.in-addr.arpa udp
US 8.8.8.8:53 239.176.105.73.in-addr.arpa udp
US 8.8.8.8:53 86.51.240.136.in-addr.arpa udp
US 8.8.8.8:53 165.246.130.7.in-addr.arpa udp
US 8.8.8.8:53 71.35.55.254.in-addr.arpa udp
US 8.8.8.8:53 55.9.146.238.in-addr.arpa udp
US 8.8.8.8:53 1.227.65.145.in-addr.arpa udp
US 8.8.8.8:53 83.123.134.108.in-addr.arpa udp
US 8.8.8.8:53 56.61.210.155.in-addr.arpa udp
US 8.8.8.8:53 203.140.5.15.in-addr.arpa udp
US 8.8.8.8:53 228.90.162.165.in-addr.arpa udp
US 8.8.8.8:53 69.64.230.102.in-addr.arpa udp
US 8.8.8.8:53 56.65.72.84.in-addr.arpa udp
US 8.8.8.8:53 58.122.182.118.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1912-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\horse [bangbus] .zip.exe

MD5 adb9367884da0fa836870b96edd46011
SHA1 0fcce10ff2186f30f4741b05009e29955c65a03d
SHA256 b22bc787c2937522b1bffd84ac12ba622cfc6bf62cecca9090d2111958a9a312
SHA512 91ce44359622a2c8a6e83471c4a82d0e2b9b6a673a1a0e7fbbf00eb2b2e1890b01a25516560da737f46c4573727e9edf480d53dd3e22ad356a6de3e081ea535c

memory/1912-64-0x0000000005240000-0x000000000525F000-memory.dmp

memory/2360-65-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2360-88-0x0000000004CD0000-0x0000000004CEF000-memory.dmp

memory/2424-89-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1912-104-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1912-106-0x0000000005240000-0x000000000525F000-memory.dmp

memory/2360-108-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2360-110-0x0000000004CD0000-0x0000000004CEF000-memory.dmp

memory/2424-111-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 18:51

Reported

2024-04-03 18:54

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\trambling lesbian hotel .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\russian nude xxx uncut titts high heels .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\russian porn fucking big circumcision .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\blowjob girls .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\black handjob gay licking girly .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\indian nude xxx catfight .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black cum trambling [bangbus] shoes (Sonja,Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\System32\DriverStore\Temp\beast lesbian stockings .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\american fetish bukkake big hole .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\indian beastiality blowjob girls .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american animal horse girls traffic .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\black animal horse hot (!) glans boots (Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\horse [bangbus] .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\swedish nude bukkake girls feet circumcision .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\danish nude blowjob [bangbus] girly .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files\Common Files\microsoft shared\gay licking cock girly .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\japanese cum beast catfight feet .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\black porn hardcore sleeping titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Google\Temp\trambling hot (!) traffic .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files\dotnet\shared\lesbian [bangbus] (Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\swedish horse lesbian licking .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\horse lesbian cock shoes (Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\black nude xxx sleeping (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\russian gang bang blowjob licking cock mistress .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\danish cum horse [bangbus] stockings (Anniston,Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\swedish kicking hardcore licking (Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\brasilian nude lingerie licking YEâPSè& .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\japanese animal hardcore uncut hotel .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\sperm lesbian latex (Ashley,Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\fucking voyeur hole .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\horse voyeur cock fishy .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.746_none_292c449ed2edefa3\sperm [milf] titts wifey .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\Temp\cumshot hardcore uncut wifey .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\danish handjob blowjob uncut ash .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\swedish fetish gay masturbation sweet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\brasilian porn lesbian several models blondie .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\japanese beastiality lesbian public hotel (Sonja,Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\horse lingerie hidden .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\cum sperm several models .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\trambling masturbation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\horse hardcore [bangbus] .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\animal sperm licking bedroom .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\horse hot (!) titts balls (Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\chinese trambling girls .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\german xxx licking (Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\danish fetish trambling licking 40+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_b201c2e68d8dbc0d\fucking [bangbus] 50+ (Sonja,Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\black action gay several models upskirt .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\beast hidden feet granny .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\fucking uncut gorgeoushorny .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\italian porn trambling licking feet lady .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\british bukkake hidden hole traffic .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\russian cumshot lingerie lesbian pregnant .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\malaysia xxx sleeping .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\blowjob uncut (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\french horse hot (!) ash .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\nude gay lesbian glans (Sandy,Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\porn bukkake full movie ash (Sandy,Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\british hardcore lesbian .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\american cum trambling lesbian .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\danish porn xxx [free] .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\bukkake voyeur stockings .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\porn lesbian full movie hole 40+ (Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\horse trambling [milf] mistress .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\british blowjob big feet .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\nude bukkake catfight titts redhair .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\lingerie [milf] (Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\Downloaded Program Files\japanese kicking beast hidden circumcision .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\russian gang bang lingerie full movie castration (Gina,Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\swedish gang bang horse [bangbus] 40+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\german lesbian public young .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\spanish xxx [milf] cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\fetish hardcore big glans latex .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\brasilian nude horse licking circumcision .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\SoftwareDistribution\Download\horse several models black hairunshaved .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\cumshot trambling hot (!) leather .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\american kicking bukkake several models hole .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\african horse big .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\swedish gang bang lesbian [milf] sm .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\handjob fucking hidden .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\canadian gay catfight (Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\malaysia horse girls balls .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\beast licking latex .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\malaysia blowjob big (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\swedish horse hardcore full movie cock Ôï .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\malaysia trambling big hole mistress (Sarah).mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\japanese horse blowjob masturbation hole .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\norwegian trambling hidden hole .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\spanish sperm girls cock .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\brasilian gang bang lesbian [free] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\brasilian action hardcore lesbian feet gorgeoushorny .mpg.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\security\templates\lingerie voyeur mistress .rar.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\black action beast several models black hairunshaved .avi.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\french horse catfight cock high heels .zip.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4668 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 4668 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 4668 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 4668 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 4668 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 4668 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 4004 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 4004 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe
PID 4004 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe

"C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe"

C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe

"C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe"

C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe

"C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe"

C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe

"C:\Users\Admin\AppData\Local\Temp\1314259fe21d8ee8102c8ed70c9b2e90113c085daa1d5842af6ccd53778560cd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 249.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 218.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 107.184.173.218.in-addr.arpa udp
US 8.8.8.8:53 210.135.164.78.in-addr.arpa udp
US 8.8.8.8:53 62.101.55.16.in-addr.arpa udp
US 8.8.8.8:53 12.17.207.85.in-addr.arpa udp
US 8.8.8.8:53 122.144.183.78.in-addr.arpa udp
US 8.8.8.8:53 21.196.39.229.in-addr.arpa udp
US 8.8.8.8:53 156.220.159.4.in-addr.arpa udp
US 8.8.8.8:53 102.123.187.244.in-addr.arpa udp
US 8.8.8.8:53 103.203.75.97.in-addr.arpa udp
US 8.8.8.8:53 18.117.83.119.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 186.120.170.22.in-addr.arpa udp
US 8.8.8.8:53 78.194.163.9.in-addr.arpa udp
US 8.8.8.8:53 152.79.43.24.in-addr.arpa udp
US 8.8.8.8:53 223.139.182.255.in-addr.arpa udp
US 8.8.8.8:53 136.82.131.79.in-addr.arpa udp
US 8.8.8.8:53 86.177.246.124.in-addr.arpa udp
US 8.8.8.8:53 88.41.219.116.in-addr.arpa udp
US 8.8.8.8:53 20.102.106.7.in-addr.arpa udp
US 8.8.8.8:53 94.136.160.47.in-addr.arpa udp
US 8.8.8.8:53 42.124.16.206.in-addr.arpa udp
US 8.8.8.8:53 100.105.78.22.in-addr.arpa udp
US 8.8.8.8:53 164.132.70.123.in-addr.arpa udp
US 8.8.8.8:53 40.132.172.212.in-addr.arpa udp
US 8.8.8.8:53 11.217.131.164.in-addr.arpa udp
US 8.8.8.8:53 252.157.56.108.in-addr.arpa udp
US 8.8.8.8:53 161.121.215.28.in-addr.arpa udp
US 8.8.8.8:53 147.186.126.17.in-addr.arpa udp
US 8.8.8.8:53 248.187.93.62.in-addr.arpa udp
US 8.8.8.8:53 186.200.116.193.in-addr.arpa udp
US 8.8.8.8:53 246.95.120.243.in-addr.arpa udp
US 8.8.8.8:53 15.124.25.67.in-addr.arpa udp
US 8.8.8.8:53 76.10.63.190.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 4.35.74.28.in-addr.arpa udp
US 8.8.8.8:53 18.76.43.133.in-addr.arpa udp
US 8.8.8.8:53 129.95.105.66.in-addr.arpa udp
US 8.8.8.8:53 87.184.175.8.in-addr.arpa udp
US 8.8.8.8:53 29.3.216.9.in-addr.arpa udp
US 8.8.8.8:53 133.84.209.139.in-addr.arpa udp
US 8.8.8.8:53 234.37.134.55.in-addr.arpa udp
US 8.8.8.8:53 110.180.67.203.in-addr.arpa udp
US 8.8.8.8:53 214.102.82.64.in-addr.arpa udp
US 8.8.8.8:53 182.38.96.209.in-addr.arpa udp
US 8.8.8.8:53 232.237.129.78.in-addr.arpa udp
US 8.8.8.8:53 222.27.17.2.in-addr.arpa udp
US 8.8.8.8:53 77.107.212.179.in-addr.arpa udp
US 8.8.8.8:53 184.140.49.194.in-addr.arpa udp
US 8.8.8.8:53 210.159.105.6.in-addr.arpa udp
US 8.8.8.8:53 119.15.125.47.in-addr.arpa udp
US 8.8.8.8:53 77.216.12.87.in-addr.arpa udp
US 8.8.8.8:53 160.81.136.136.in-addr.arpa udp
US 8.8.8.8:53 164.145.58.220.in-addr.arpa udp
US 8.8.8.8:53 187.106.118.162.in-addr.arpa udp
US 8.8.8.8:53 104.151.171.156.in-addr.arpa udp
US 8.8.8.8:53 124.188.147.227.in-addr.arpa udp
US 8.8.8.8:53 51.59.26.77.in-addr.arpa udp
US 8.8.8.8:53 123.150.190.201.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/4668-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\horse [bangbus] .zip.exe

MD5 adb9367884da0fa836870b96edd46011
SHA1 0fcce10ff2186f30f4741b05009e29955c65a03d
SHA256 b22bc787c2937522b1bffd84ac12ba622cfc6bf62cecca9090d2111958a9a312
SHA512 91ce44359622a2c8a6e83471c4a82d0e2b9b6a673a1a0e7fbbf00eb2b2e1890b01a25516560da737f46c4573727e9edf480d53dd3e22ad356a6de3e081ea535c

memory/4004-61-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2100-165-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4668-193-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4004-196-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2100-197-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3208-199-0x0000000000400000-0x000000000041F000-memory.dmp