Malware Analysis Report

2025-08-05 10:00

Sample ID 240403-xt8nhsad62
Target 1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40
SHA256 1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40
Tags
persistence spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40

Threat Level: Known bad

The file 1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40 was found to be: Known bad.

Malicious Activity Summary

persistence spyware stealer upx

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 19:09

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 19:09

Reported

2024-04-03 19:12

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\tyrkish kicking gay public blondie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\horse public .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\beast hidden titts .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black gang bang hardcore licking .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\danish action blowjob voyeur (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\russian horse hardcore big .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\horse sleeping hole .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish porn hardcore full movie titts girly .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\gay [free] sweet (Sandy,Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\System32\DriverStore\Temp\blowjob [free] glans .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\xxx [milf] hole .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\japanese horse trambling [milf] cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\american horse trambling [bangbus] hairy .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Google\Temp\tyrkish fetish lingerie big titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\gay licking feet swallow (Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\indian beastiality beast [milf] cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\hardcore voyeur latex .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\xxx several models castration .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\swedish cumshot trambling several models feet mature .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\tyrkish kicking sperm hot (!) ΋ .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\black horse lesbian catfight .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\indian fetish lesbian [milf] sm (Ashley,Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\fucking catfight feet wifey .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\brasilian animal gay lesbian feet .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EU5927.tmp\japanese handjob hardcore uncut feet .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files\dotnet\shared\tyrkish gang bang lingerie uncut girly .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\gay licking cock .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian nude gay girls castration .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files\Common Files\microsoft shared\horse hidden hole hairy .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\canadian lesbian big hairy .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\american action trambling uncut .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\chinese beast voyeur balls (Sonja,Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\russian action bukkake full movie cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\british fucking licking hole .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\blowjob [free] (Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\beast lesbian mature .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\lingerie public bondage .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\german hardcore hidden feet 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\russian gang bang bukkake hidden titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\japanese handjob gay hot (!) fishy .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\action sperm [free] hole lady (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\fucking public hotel .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\danish handjob horse sleeping glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\spanish sperm sleeping .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\nude fucking uncut gorgeoushorny .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\norwegian lesbian licking girly (Sandy,Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\horse fucking [bangbus] cock leather (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\german horse sleeping (Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\spanish bukkake [free] feet (Kathrin,Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\chinese sperm voyeur beautyfull .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\tyrkish horse beast voyeur .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\black action horse [bangbus] hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\brasilian gang bang fucking big titts pregnant (Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\lesbian full movie boots (Sonja,Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_7862ecae0548fb54\american cum xxx [milf] glans 50+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\canadian lesbian hidden glans (Britney,Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\xxx [milf] shower .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\gay lesbian cock 50+ (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\french gay sleeping pregnant .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\InstallTemp\action blowjob [bangbus] .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\sperm hot (!) feet .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\asian sperm voyeur hole black hairunshaved .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\assembly\tmp\brasilian handjob lesbian hidden fishy .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\tyrkish horse sperm hot (!) (Karin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\chinese sperm several models mistress .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.746_none_292c449ed2edefa3\malaysia sperm [free] castration .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\kicking hardcore several models YEâPSè& .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\malaysia blowjob sleeping cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\spanish trambling masturbation feet Ôï (Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\british sperm full movie glans girly .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\kicking blowjob lesbian .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\xxx [free] cock stockings (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\swedish action beast voyeur .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\french xxx full movie .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\blowjob uncut .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\italian nude gay licking titts sweet (Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\french blowjob [milf] hole upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\spanish hardcore public hairy .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\german lesbian big sm (Britney,Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\african lesbian lesbian shower .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\blowjob several models traffic .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\lesbian lesbian .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\asian horse girls .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\danish porn xxx [bangbus] sweet (Sandy,Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\american horse sperm [bangbus] glans bedroom (Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\spanish sperm [free] sm .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\canadian blowjob girls beautyfull (Sonja,Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_10.0.19041.1_none_096bb4dc0d5d63a0\gay uncut sweet (Britney,Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\german lingerie catfight .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\brasilian horse horse hidden wifey .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\british horse public femdom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\french horse lesbian .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\black porn xxx big hole boots (Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\brasilian handjob trambling [free] feet Ôï .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 4928 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 4928 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 4928 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 4928 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 4928 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 4204 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 4204 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 4204 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe

"C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe"

C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe

"C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe"

C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe

"C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe"

C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe

"C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 213.122.19.2.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 71.102.69.181.in-addr.arpa udp
US 8.8.8.8:53 172.183.198.137.in-addr.arpa udp
US 8.8.8.8:53 250.114.27.156.in-addr.arpa udp
US 8.8.8.8:53 143.28.157.50.in-addr.arpa udp
US 8.8.8.8:53 242.49.130.91.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 52.86.6.171.in-addr.arpa udp
US 8.8.8.8:53 215.9.185.104.in-addr.arpa udp
US 8.8.8.8:53 97.51.46.12.in-addr.arpa udp
US 8.8.8.8:53 3.10.105.9.in-addr.arpa udp
US 8.8.8.8:53 190.225.53.112.in-addr.arpa udp
US 8.8.8.8:53 242.55.33.165.in-addr.arpa udp
US 8.8.8.8:53 66.200.1.91.in-addr.arpa udp
US 8.8.8.8:53 209.255.216.105.in-addr.arpa udp
US 8.8.8.8:53 211.29.55.212.in-addr.arpa udp
US 8.8.8.8:53 96.231.144.17.in-addr.arpa udp
US 8.8.8.8:53 125.195.118.69.in-addr.arpa udp
US 8.8.8.8:53 99.34.149.251.in-addr.arpa udp
US 8.8.8.8:53 5.150.44.52.in-addr.arpa udp
US 8.8.8.8:53 88.132.117.227.in-addr.arpa udp
US 8.8.8.8:53 192.12.190.170.in-addr.arpa udp
US 8.8.8.8:53 50.233.172.42.in-addr.arpa udp
US 8.8.8.8:53 253.71.43.187.in-addr.arpa udp
US 8.8.8.8:53 223.168.11.47.in-addr.arpa udp
US 8.8.8.8:53 29.167.199.250.in-addr.arpa udp
US 8.8.8.8:53 223.212.35.32.in-addr.arpa udp
US 8.8.8.8:53 177.227.37.196.in-addr.arpa udp
US 8.8.8.8:53 209.67.46.255.in-addr.arpa udp
US 8.8.8.8:53 199.43.220.224.in-addr.arpa udp
US 8.8.8.8:53 139.255.170.244.in-addr.arpa udp
US 8.8.8.8:53 244.252.13.40.in-addr.arpa udp
US 8.8.8.8:53 215.163.33.152.in-addr.arpa udp
US 8.8.8.8:53 100.53.140.170.in-addr.arpa udp
US 8.8.8.8:53 235.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 166.189.219.109.in-addr.arpa udp

Files

memory/4928-0-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian nude gay girls castration .avi.exe

MD5 433c2bfdfb237b295604645ab2ce9359
SHA1 b70f92f93dc0986fab5e69029d7b9277c2c45bcd
SHA256 694ef6e60931acdfe7c332bf5f269cd9e3738d37a4f410cf940ba82cfe2f3ff6
SHA512 c5ae12ca137cb8aad7a17afda875c34960b5eeacbd40e4191673fd2bdd0e8d3093cb0bd034836a9a7ae9dbbc8b08bba86e6f1f8d352e136782a858f23bec84fc

memory/4204-10-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4048-12-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1608-13-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4928-193-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4204-195-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4048-199-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1608-201-0x0000000000400000-0x0000000000421000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 19:09

Reported

2024-04-03 19:12

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian cum lesbian licking feet beautyfull .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\gay [free] beautyfull .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\indian action beast hidden Ôë .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\System32\DriverStore\Temp\italian gang bang lesbian big gorgeoushorny .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\sperm uncut wifey .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\IME\shared\sperm masturbation black hairunshaved (Kathrin,Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\russian porn xxx lesbian hole .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\hardcore lesbian hole 50+ .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\brasilian gang bang xxx full movie girly .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SysWOW64\IME\shared\indian kicking lingerie [milf] titts .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\microsoft shared\black horse horse licking girly (Gina,Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Google\Temp\danish cum xxx [free] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\swedish cumshot beast lesbian .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\indian beastiality hardcore full movie high heels .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files\Windows Journal\Templates\italian cumshot blowjob lesbian stockings .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\tyrkish kicking bukkake catfight titts .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\danish fetish bukkake licking glans .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\indian porn blowjob voyeur hole sm .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\trambling big (Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\tyrkish porn bukkake full movie wifey .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\gay [milf] feet young (Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files\DVD Maker\Shared\black gang bang beast several models redhair .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\tyrkish nude hardcore full movie (Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\sperm catfight feet leather (Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\russian handjob hardcore [free] hotel .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\british blowjob sleeping mistress .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\fucking licking beautyfull .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\black porn sperm [free] cock fishy .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\tyrkish cum sperm [free] ejaculation .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\SoftwareDistribution\Download\swedish nude xxx [free] (Sarah).mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\swedish handjob sperm several models traffic .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\norwegian xxx public .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\russian horse lingerie [milf] feet traffic .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\canadian beast [free] blondie (Sonja,Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\lesbian catfight (Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\horse voyeur titts mature (Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\japanese gang bang lesbian full movie .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\chinese lingerie hidden pregnant (Jenna,Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\bukkake [milf] cock .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\lesbian voyeur young .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\indian cumshot fucking licking granny (Christine,Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\african bukkake big femdom .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\xxx [milf] swallow .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\animal trambling big feet (Sandy,Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\indian handjob xxx [bangbus] .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\action hardcore several models ejaculation (Gina,Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\african sperm big feet high heels .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\italian gang bang bukkake masturbation (Sarah).avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\russian handjob fucking public (Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\japanese cum trambling catfight circumcision (Sandy,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\cumshot horse [bangbus] hole girly .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\gang bang lesbian lesbian titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\action beast uncut .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\security\templates\gay lesbian hairy .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\brasilian cum blowjob [milf] sweet (Sonja,Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\brasilian kicking beast masturbation cock fishy .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\italian horse gay big (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\norwegian bukkake public glans .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\beastiality beast licking femdom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\african horse [free] hole .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\spanish sperm big pregnant .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\gay voyeur .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\fetish gay big cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\tyrkish fetish bukkake masturbation cock .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\kicking lingerie full movie shoes .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\brasilian fetish gay voyeur (Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\italian cum hardcore big feet (Sonja,Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\fetish trambling voyeur titts femdom .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\malaysia gay licking upskirt .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\british trambling licking titts .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\japanese beastiality horse masturbation hole sm (Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\japanese fetish blowjob full movie .avi.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian cum lesbian several models feet mature .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\german fucking hot (!) (Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\danish cumshot gay full movie cock .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\malaysia lingerie [milf] glans castration (Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\lingerie hidden titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\danish fetish xxx masturbation cock upskirt (Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\kicking horse licking (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\Temp\american gang bang fucking full movie titts shoes .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\cum lesbian lesbian glans blondie (Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\german lesbian sleeping cock wifey (Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\nude trambling licking (Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\beast masturbation lady .mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\lesbian sleeping balls .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\russian animal hardcore [milf] (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\Downloaded Program Files\swedish animal lingerie voyeur feet 40+ .rar.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\asian lingerie big feet circumcision .zip.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 2796 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 2796 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 2796 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 2720 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 2720 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 2720 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe
PID 2720 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe

"C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe"

C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe

"C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe"

C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe

"C:\Users\Admin\AppData\Local\Temp\1bea9a2d133def3bd420103c619e8c81eb6d0063218ba76617eaa2d87bbbda40.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.45.141.125.in-addr.arpa udp
US 8.8.8.8:53 115.190.159.10.in-addr.arpa udp
US 8.8.8.8:53 182.81.103.134.in-addr.arpa udp
US 8.8.8.8:53 233.167.22.149.in-addr.arpa udp
US 8.8.8.8:53 49.127.230.206.in-addr.arpa udp
US 8.8.8.8:53 165.151.53.199.in-addr.arpa udp
US 8.8.8.8:53 138.35.215.100.in-addr.arpa udp
US 8.8.8.8:53 106.171.140.22.in-addr.arpa udp
US 8.8.8.8:53 211.166.173.36.in-addr.arpa udp
US 8.8.8.8:53 103.74.96.210.in-addr.arpa udp
US 8.8.8.8:53 95.249.227.186.in-addr.arpa udp
US 8.8.8.8:53 112.79.70.134.in-addr.arpa udp
US 8.8.8.8:53 117.193.133.250.in-addr.arpa udp
US 8.8.8.8:53 199.39.8.137.in-addr.arpa udp
US 8.8.8.8:53 10.144.33.135.in-addr.arpa udp
US 8.8.8.8:53 105.29.231.140.in-addr.arpa udp
US 8.8.8.8:53 136.131.37.202.in-addr.arpa udp
US 8.8.8.8:53 123.124.141.101.in-addr.arpa udp
US 8.8.8.8:53 49.197.149.125.in-addr.arpa udp
US 8.8.8.8:53 72.24.248.166.in-addr.arpa udp
US 8.8.8.8:53 1.248.96.10.in-addr.arpa udp
US 8.8.8.8:53 163.204.165.206.in-addr.arpa udp
US 8.8.8.8:53 129.255.2.35.in-addr.arpa udp
US 8.8.8.8:53 173.92.191.40.in-addr.arpa udp
US 8.8.8.8:53 103.163.79.41.in-addr.arpa udp
US 8.8.8.8:53 187.48.251.204.in-addr.arpa udp
US 8.8.8.8:53 106.159.123.16.in-addr.arpa udp
US 8.8.8.8:53 105.180.132.156.in-addr.arpa udp
US 8.8.8.8:53 203.140.64.136.in-addr.arpa udp

Files

memory/2796-0-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\tyrkish kicking bukkake catfight titts .rar.exe

MD5 e3c2c4a4755bddd8af4485395e024dee
SHA1 d993e99ef1402c51fc22bba45c11e8747645b91f
SHA256 18184e1924e6d24e02da6e528aa73e6ad41eabe593a4e82418273ffeb63ef09c
SHA512 b57e3a448b38df0f0940d1dea5a7f0cb92e2ad6305068b0d5cb0320120b2dc1e08635b12359fc241332a1f98f8e357487c920695f3e804df122af6d3777d9374

memory/2796-54-0x0000000005D60000-0x0000000005D81000-memory.dmp

memory/2720-55-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2720-89-0x00000000045B0000-0x00000000045D1000-memory.dmp

memory/764-90-0x0000000000400000-0x0000000000421000-memory.dmp

C:\debug.txt

MD5 71a61490e99e891bbe7449dfde3007ae
SHA1 a08a423cad352c5c873b099798dd44f491cc51c8
SHA256 717a6c7e9710ab90b7d8d349c08e7c847d8205cf45bc7002ad13176d26e443d7
SHA512 27438107ed6b063fc8945c78f63c8785dd96aecd533a1c62263513f2bd6f22dbece4c869a67b4ea85dd1e0c7630c0f13264a5720441cf8b67cdd981bae3df650

memory/2796-106-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2720-109-0x00000000045B0000-0x00000000045D1000-memory.dmp

memory/2796-108-0x0000000005D60000-0x0000000005D81000-memory.dmp

memory/764-111-0x0000000000400000-0x0000000000421000-memory.dmp