Malware Analysis Report

2025-03-14 22:52

Sample ID 240406-1kw5xabg8y
Target 63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502
SHA256 63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502

Threat Level: Known bad

The file 63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502 was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

Reads user/profile data of web browsers

Checks computer location settings

UPX packed file

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:43

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:43

Reported

2024-04-06 21:45

Platform

win7-20240221-en

Max time kernel

147s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\british horse sleeping titts (Curtney,Gina).rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\american bukkake hot (!) nipples .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\IME\shared\malaysia xxx girls pregnant .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\brasilian action beastiality sleeping castration (Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\sperm big Ôë (Melissa,Britney).zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\blowjob [free] girly (Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\IME\shared\hardcore hot (!) hole granny .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\beastiality [bangbus] nipples circumcision .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\beast voyeur ash fishy (Anniston).rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\brasilian gay hot (!) fishy .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Journal\Templates\british fucking big .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\black porn action [bangbus] boots (Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\gay porn hidden .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\handjob uncut (Britney,Britney).mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\porn kicking [milf] ash (Sonja,Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\action big black hairunshaved (Jenna).avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\german cumshot fetish licking shower .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\french lingerie gang bang girls young .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\tyrkish handjob lesbian glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\trambling sleeping vagina (Anniston).zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Google\Temp\italian trambling licking .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files\DVD Maker\Shared\hardcore hidden ash .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\trambling [milf] sm .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\swedish lesbian hot (!) granny (Ashley).mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\danish beast masturbation (Christine,Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\tyrkish xxx lesbian ash (Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\xxx [free] redhair .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\porn voyeur .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\swedish lingerie beast masturbation glans young .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\chinese hardcore lingerie big stockings .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\cum big traffic .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\cum hardcore [free] .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\Downloaded Program Files\horse sleeping .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\french gang bang catfight nipples .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\japanese bukkake girls redhair (Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\indian kicking xxx big glans stockings (Sonja).mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\british animal voyeur .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\beast [bangbus] penetration (Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\japanese blowjob big high heels (Britney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\handjob beastiality voyeur YEâPSè& .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\cumshot lesbian (Jenna).avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\american lesbian [free] bondage .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\kicking lingerie sleeping (Anniston).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\swedish animal fetish voyeur upskirt .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\spanish fucking action licking circumcision .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\sperm lesbian voyeur lady .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\norwegian gang bang xxx voyeur .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\handjob uncut legs YEâPSè& .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\american sperm licking .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\assembly\tmp\japanese blowjob licking .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\asian beast handjob sleeping feet lady .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\british action uncut (Ashley).mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\danish beastiality trambling catfight (Anniston,Jenna).mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\british lesbian catfight .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\security\templates\lingerie several models (Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\black beast bukkake girls femdom (Kathrin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\german nude catfight sm .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\asian cumshot several models .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\spanish gang bang horse catfight feet ìï .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\bukkake xxx licking shoes .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\cumshot action [milf] granny .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\blowjob trambling hidden mature .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\black cumshot nude sleeping bedroom (Jade,Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\danish horse public cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\swedish kicking catfight .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\german beastiality girls hole femdom .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\cum lesbian balls (Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\xxx xxx [bangbus] glans black hairunshaved .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\italian cumshot lesbian uncut femdom (Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\assembly\temp\fucking masturbation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\italian fucking voyeur cock bedroom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\gay big sm .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\bukkake blowjob [free] boots .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\french lingerie beast girls vagina .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\norwegian porn lesbian .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\cumshot kicking uncut sm (Tatjana,Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\blowjob big boobs upskirt .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\danish bukkake cumshot lesbian young .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\fucking catfight bondage .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\lesbian fucking masturbation hole (Gina).rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\hardcore animal public granny (Karin,Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\malaysia nude [free] legs .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\african beast voyeur legs .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\handjob several models .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\bukkake licking cock (Sylvia,Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\french horse [bangbus] .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\french cum [bangbus] nipples lady .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\american animal lingerie uncut traffic .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe
PID 2344 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe
PID 2344 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe
PID 2344 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe
PID 2596 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe
PID 2596 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe
PID 2596 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe
PID 2596 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe

Processes

C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe

"C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe"

C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe

"C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe"

C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe

"C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.19.195.43.in-addr.arpa udp
US 8.8.8.8:53 94.133.30.2.in-addr.arpa udp
US 8.8.8.8:53 80.132.91.24.in-addr.arpa udp
US 8.8.8.8:53 68.248.69.9.in-addr.arpa udp
US 8.8.8.8:53 248.39.31.7.in-addr.arpa udp
US 8.8.8.8:53 237.138.225.50.in-addr.arpa udp
US 8.8.8.8:53 53.66.146.133.in-addr.arpa udp
US 8.8.8.8:53 72.108.44.216.in-addr.arpa udp
US 8.8.8.8:53 18.223.39.93.in-addr.arpa udp
US 8.8.8.8:53 190.24.230.144.in-addr.arpa udp
US 8.8.8.8:53 175.186.31.220.in-addr.arpa udp
US 8.8.8.8:53 110.26.120.100.in-addr.arpa udp
US 8.8.8.8:53 215.243.246.204.in-addr.arpa udp
US 8.8.8.8:53 29.84.184.67.in-addr.arpa udp
US 8.8.8.8:53 164.183.234.246.in-addr.arpa udp
US 8.8.8.8:53 149.247.46.13.in-addr.arpa udp
US 8.8.8.8:53 125.53.25.130.in-addr.arpa udp

Files

memory/2344-0-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\french lingerie gang bang girls young .rar.exe

MD5 004c8f2fb3a74229905c97e9cdc07a6d
SHA1 fa5dc16ce54c544ff0b7e3f72961da75f8b454bb
SHA256 bba4a506e4735d6e238e49988abbaabc7de4ac18a834a5c7581cb90cf6d15f3b
SHA512 5f5ca51429dbf04188d7b69dee4f797c2b9256e7e95e296705c322c4abaa614fc395b9325eecaef5eae5b84bcc9c5491d7b478ce97adbb1fe5a2f588768652d9

memory/2344-8-0x0000000004B50000-0x0000000004B71000-memory.dmp

memory/2596-9-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2596-55-0x00000000045A0000-0x00000000045C1000-memory.dmp

memory/2544-56-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2344-95-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2344-97-0x0000000004B50000-0x0000000004B71000-memory.dmp

memory/2596-99-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2596-100-0x00000000045A0000-0x00000000045C1000-memory.dmp

C:\debug.txt

MD5 e363878f1bb0c223bd09aaba7a7a0216
SHA1 ee54844add69d7abcbe00ddfc127bcabaa72d86c
SHA256 eb13156aa1fcb7edc4d1420af4e0b382d1cf1a49cb18619ea7c3d9f32758604c
SHA512 ee22451c623335fa84a4841cc28125c9f7e969d94735b89a4d4ff8df3ee0fe961b11759ad7f7b587d9c6a3a3d88c18cce3e25ee303ad73dd2408804ccc8e632b

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:43

Reported

2024-04-06 21:45

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\FxsTmp\trambling voyeur wifey (Sandy,Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\american gang bang sperm hidden hole pregnant (Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\russian cumshot blowjob [milf] feet .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black beastiality lesbian [free] .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\lesbian uncut bedroom .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\russian action lingerie voyeur hole .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\System32\DriverStore\Temp\american gang bang horse catfight bondage .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\xxx [milf] titts circumcision (Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\bukkake uncut YEâPSè& .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\gay uncut cock .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\swedish beastiality gay several models feet sm .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\tyrkish horse fucking hidden feet .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Templates\tyrkish porn gay [bangbus] cock sm .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\russian gang bang horse lesbian feet circumcision (Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\beastiality trambling hot (!) feet femdom .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\bukkake [bangbus] hairy .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\xxx big feet black hairunshaved (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files\dotnet\shared\fucking girls latex .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\swedish horse xxx voyeur swallow .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Google\Temp\trambling masturbation feet penetration (Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\swedish horse horse lesbian .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files\Common Files\microsoft shared\bukkake [milf] young (Ashley,Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\swedish gang bang fucking [free] castration (Christine,Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\lesbian sleeping young .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\danish gang bang lesbian uncut glans (Sandy,Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\trambling licking mature .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\brasilian porn horse hidden hole .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\russian kicking gay hidden (Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\brasilian kicking horse full movie latex .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\beast catfight traffic .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\fucking [milf] titts fishy .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\InstallTemp\swedish handjob bukkake [bangbus] .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\handjob horse full movie ejaculation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\danish cum hardcore [free] hole .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\german xxx [bangbus] (Sarah).avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\canadian horse girls YEâPSè& .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\swedish horse trambling hidden .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\fetish fucking public feet .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\asian blowjob big glans .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\lingerie masturbation hole wifey (Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\fetish sperm big feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\indian cum bukkake public feet (Anniston,Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\spanish lingerie big pregnant .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\CbsTemp\xxx big femdom .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\horse blowjob lesbian black hairunshaved .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\cum fucking sleeping glans girly (Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\danish action blowjob lesbian feet blondie .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\chinese fucking [bangbus] (Janette).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\nude bukkake full movie titts stockings .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\horse blowjob [bangbus] (Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\handjob lingerie public feet high heels .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\russian gang bang blowjob [bangbus] sm .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\black beastiality xxx big feet .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\fucking masturbation titts YEâPSè& .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\handjob beast several models feet .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\black porn blowjob girls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\assembly\temp\brasilian fetish beast masturbation .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\british lingerie hidden cock balls .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\horse licking 50+ (Sonja,Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\xxx hot (!) hairy .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\tyrkish beastiality gay hot (!) 40+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\black gang bang blowjob several models redhair .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\horse xxx [milf] (Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\british lesbian hidden feet ash .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\animal sperm sleeping pregnant .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\assembly\tmp\fucking catfight lady .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\beast sleeping traffic (Britney,Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\gang bang trambling uncut titts .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\american fetish gay [free] (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\indian horse fucking hidden glans 40+ (Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\lesbian catfight .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\canadian lesbian sleeping (Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\beast masturbation hole blondie .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\swedish nude lingerie [bangbus] 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\british bukkake full movie titts pregnant .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\asian fucking [bangbus] (Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\danish nude bukkake licking fishy (Britney,Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_21122d7205c6f5b9\canadian trambling hot (!) 50+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\brasilian gang bang hardcore full movie .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\norwegian beast voyeur (Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\nude fucking [free] titts 50+ .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\norwegian trambling [bangbus] mistress .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\cumshot horse hot (!) .avi.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\asian xxx big titts (Sonja,Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\blowjob sleeping (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\black action hardcore [bangbus] .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\asian gay hot (!) cock (Anniston,Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\malaysia horse [free] pregnant .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\kicking bukkake several models cock .rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\trambling hidden high heels (Sonja,Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\italian horse fucking masturbation circumcision (Sandy,Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\Downloaded Program Files\sperm licking glans .zip.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\japanese action trambling [free] .mpg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\spanish sperm uncut fishy .mpeg.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4628 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe
PID 4628 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe
PID 4628 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe
PID 1040 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe
PID 1040 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe
PID 1040 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe

Processes

C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe

"C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe"

C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe

"C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe"

C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe

"C:\Users\Admin\AppData\Local\Temp\63a4413f3e79eb4f1ccc4a091745e35876f4446ce6543f3940332f71720d7502.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 191.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 141.227.118.89.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 94.115.180.223.in-addr.arpa udp
US 8.8.8.8:53 138.184.89.245.in-addr.arpa udp
US 8.8.8.8:53 247.21.48.123.in-addr.arpa udp
US 8.8.8.8:53 253.199.216.56.in-addr.arpa udp
US 8.8.8.8:53 41.176.222.52.in-addr.arpa udp
US 8.8.8.8:53 181.23.115.145.in-addr.arpa udp
US 8.8.8.8:53 16.253.183.38.in-addr.arpa udp
US 8.8.8.8:53 202.4.49.235.in-addr.arpa udp
US 8.8.8.8:53 198.153.254.240.in-addr.arpa udp
US 8.8.8.8:53 180.16.213.151.in-addr.arpa udp
US 8.8.8.8:53 153.43.29.83.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 180.243.194.183.in-addr.arpa udp
US 8.8.8.8:53 90.116.141.202.in-addr.arpa udp
US 8.8.8.8:53 249.227.200.183.in-addr.arpa udp
US 8.8.8.8:53 30.231.59.75.in-addr.arpa udp
US 8.8.8.8:53 117.49.116.9.in-addr.arpa udp
US 8.8.8.8:53 185.226.35.231.in-addr.arpa udp
US 8.8.8.8:53 198.72.33.28.in-addr.arpa udp
US 8.8.8.8:53 230.222.59.234.in-addr.arpa udp
US 8.8.8.8:53 139.33.250.110.in-addr.arpa udp
US 8.8.8.8:53 197.101.187.57.in-addr.arpa udp
US 8.8.8.8:53 208.88.245.104.in-addr.arpa udp
US 8.8.8.8:53 54.38.82.11.in-addr.arpa udp
US 8.8.8.8:53 228.167.190.186.in-addr.arpa udp
US 8.8.8.8:53 195.196.147.230.in-addr.arpa udp
US 8.8.8.8:53 187.194.55.38.in-addr.arpa udp
US 8.8.8.8:53 119.154.69.224.in-addr.arpa udp
US 8.8.8.8:53 103.57.103.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 182.98.207.49.in-addr.arpa udp
US 8.8.8.8:53 243.179.32.165.in-addr.arpa udp
US 8.8.8.8:53 202.92.151.40.in-addr.arpa udp
US 8.8.8.8:53 93.223.118.15.in-addr.arpa udp
US 8.8.8.8:53 219.252.45.172.in-addr.arpa udp
US 8.8.8.8:53 250.174.61.246.in-addr.arpa udp
US 8.8.8.8:53 198.89.108.135.in-addr.arpa udp
US 8.8.8.8:53 52.121.205.227.in-addr.arpa udp
US 8.8.8.8:53 20.234.60.190.in-addr.arpa udp
US 8.8.8.8:53 250.145.38.252.in-addr.arpa udp
US 8.8.8.8:53 23.161.54.156.in-addr.arpa udp
US 8.8.8.8:53 253.97.82.58.in-addr.arpa udp
US 8.8.8.8:53 23.170.232.104.in-addr.arpa udp
US 8.8.8.8:53 81.245.229.254.in-addr.arpa udp
US 8.8.8.8:53 18.9.208.81.in-addr.arpa udp
US 8.8.8.8:53 188.207.1.173.in-addr.arpa udp
US 8.8.8.8:53 246.88.142.1.in-addr.arpa udp
US 8.8.8.8:53 226.183.13.133.in-addr.arpa udp
US 8.8.8.8:53 229.197.178.158.in-addr.arpa udp
US 8.8.8.8:53 11.160.50.30.in-addr.arpa udp
US 8.8.8.8:53 242.102.252.43.in-addr.arpa udp
US 8.8.8.8:53 56.94.53.146.in-addr.arpa udp
US 8.8.8.8:53 11.178.45.107.in-addr.arpa udp
US 8.8.8.8:53 160.212.112.104.in-addr.arpa udp
US 8.8.8.8:53 71.235.92.193.in-addr.arpa udp
US 8.8.8.8:53 146.93.67.29.in-addr.arpa udp
US 8.8.8.8:53 123.97.112.238.in-addr.arpa udp
US 8.8.8.8:53 247.251.120.84.in-addr.arpa udp
US 8.8.8.8:53 62.217.224.228.in-addr.arpa udp
US 8.8.8.8:53 192.95.151.73.in-addr.arpa udp
US 8.8.8.8:53 120.7.20.78.in-addr.arpa udp
US 8.8.8.8:53 251.156.179.156.in-addr.arpa udp
US 8.8.8.8:53 222.111.215.10.in-addr.arpa udp
US 8.8.8.8:53 234.20.234.248.in-addr.arpa udp
US 8.8.8.8:53 11.228.99.148.in-addr.arpa udp
US 8.8.8.8:53 158.183.15.38.in-addr.arpa udp
US 8.8.8.8:53 5.130.234.91.in-addr.arpa udp
US 8.8.8.8:53 191.76.201.185.in-addr.arpa udp
US 8.8.8.8:53 232.33.170.17.in-addr.arpa udp
US 8.8.8.8:53 124.185.13.202.in-addr.arpa udp
US 8.8.8.8:53 250.142.74.45.in-addr.arpa udp
US 8.8.8.8:53 38.18.219.201.in-addr.arpa udp
US 8.8.8.8:53 89.94.139.191.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/4628-0-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\russian gang bang horse lesbian feet circumcision (Curtney).zip.exe

MD5 6cc9e971ae9bebf2213a876ce1bb060f
SHA1 012e88629e1c378ba5dd7f6c895584e2463b6bf2
SHA256 e3efc80a3568675b5d7d7c5c8fe130d3aa5edd129cf5b6b32da171875432c370
SHA512 f8e8400734883979cbcf5ec3aba3165f8feeae22c7656e19751a252b28cc89120d1bd36670b9dcb16eb570cc43825a0ff7379e19c5cd9441b8cdcaea22524940

memory/1040-44-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4860-160-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4628-193-0x0000000000400000-0x0000000000421000-memory.dmp

memory/1040-194-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4860-196-0x0000000000400000-0x0000000000421000-memory.dmp