Malware Analysis Report

2025-03-14 22:32

Sample ID 240406-1s215acg74
Target 69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325
SHA256 69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325

Threat Level: Known bad

The file 69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325 was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:55

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:55

Reported

2024-04-06 21:58

Platform

win7-20240215-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\action girls stockings .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\french animal [milf] latex .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\System32\DriverStore\Temp\nude fetish voyeur .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\african handjob trambling sleeping feet pregnant .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\british gang bang big mature .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\IME\shared\beast lingerie masturbation mature (Kathrin).avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\xxx action full movie lady .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\spanish animal fetish licking mature .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish kicking beastiality several models hole shoes .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\IME\shared\german lingerie lesbian hole boots .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\french kicking fetish big shoes .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\action several models femdom .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\italian action beast sleeping .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\cumshot public shower .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\danish cum gang bang uncut sm .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files\DVD Maker\Shared\cum horse [bangbus] bondage .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\german horse hot (!) boobs high heels .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Google\Temp\french fucking full movie balls .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\cumshot big swallow (Britney).mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\indian cumshot bukkake [bangbus] shower .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\russian nude hidden femdom (Ashley,Kathrin).rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\chinese lingerie licking young (Curtney,Sonja).avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files\Windows Journal\Templates\american horse [bangbus] YEâPSè& .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\swedish kicking hot (!) pregnant .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\xxx nude hidden traffic (Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\LocalService\Downloads\horse kicking uncut .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\japanese porn public balls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\indian fucking hot (!) titts hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\french bukkake several models hairy (Anniston).rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\action public high heels (Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\spanish gang bang full movie leather .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\norwegian nude lesbian blondie .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\Temp\gang bang sleeping shoes .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\gay handjob full movie vagina .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\canadian gang bang action several models ash .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\action lesbian ejaculation .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\african trambling public boots .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\black cum fetish girls vagina mature (Karin,Jenna).zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\chinese cumshot hot (!) stockings .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\malaysia sperm catfight shower .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\handjob cumshot several models glans 40+ .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\beast gay girls legs lady (Kathrin).zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\brasilian gay hardcore several models hole girly (Liz,Sonja).mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\swedish handjob bukkake [free] pregnant .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\fucking girls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\indian handjob voyeur (Liz,Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\trambling hot (!) .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\asian trambling uncut (Kathrin,Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\spanish beastiality lingerie [milf] wifey .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\brasilian horse voyeur .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\norwegian gay uncut nipples shower .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\french animal cum hot (!) hole redhair .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\spanish cum girls mature (Britney).zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\canadian handjob cumshot lesbian legs (Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\spanish cum catfight ash (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\french lingerie bukkake girls sweet (Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\american fetish catfight penetration .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\asian nude kicking licking traffic .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\kicking gay catfight cock .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\PLA\Templates\asian hardcore xxx catfight hole beautyfull (Tatjana,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\tyrkish lesbian big (Sonja,Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\tyrkish cum gang bang girls hole .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\brasilian trambling cumshot girls boots .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\norwegian cum blowjob uncut granny .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\hardcore trambling public hairy .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\german beast beastiality public legs bedroom .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\danish porn cumshot sleeping cock .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\german lesbian fucking licking .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\chinese xxx [bangbus] leather .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\french handjob nude sleeping ash .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\Downloaded Program Files\german lingerie several models titts sweet (Anniston,Jenna).mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\porn horse [milf] nipples ejaculation (Anniston).avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\french lingerie public (Anniston).mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\animal kicking big (Tatjana,Anniston).mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\african horse horse masturbation .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\chinese fucking animal full movie ìï .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\indian horse handjob sleeping ash shower .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\black action hot (!) .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\animal hot (!) .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\brasilian beastiality nude full movie .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\horse animal licking girly .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\norwegian porn beast catfight .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\american bukkake catfight hole shoes .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\tmp\fetish [bangbus] .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\french horse catfight (Sonja,Sandy).mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\black blowjob fetish [free] feet balls .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\black hardcore licking nipples sweet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\japanese fucking licking ash .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\malaysia cumshot big hole .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 2824 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 2824 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 2824 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 2720 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 2720 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 2720 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 2720 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe

"C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe"

C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe

"C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe"

C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe

"C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 30.229.166.52.in-addr.arpa udp
US 8.8.8.8:53 113.46.250.70.in-addr.arpa udp
US 8.8.8.8:53 205.218.115.232.in-addr.arpa udp
US 8.8.8.8:53 193.180.100.166.in-addr.arpa udp
US 8.8.8.8:53 7.195.116.116.in-addr.arpa udp
US 8.8.8.8:53 102.136.248.180.in-addr.arpa udp
US 8.8.8.8:53 226.238.203.68.in-addr.arpa udp
US 8.8.8.8:53 128.148.137.208.in-addr.arpa udp
US 8.8.8.8:53 253.17.160.251.in-addr.arpa udp
US 8.8.8.8:53 194.199.60.214.in-addr.arpa udp
US 8.8.8.8:53 52.247.124.47.in-addr.arpa udp
US 8.8.8.8:53 246.106.179.217.in-addr.arpa udp
US 8.8.8.8:53 149.46.42.154.in-addr.arpa udp
US 8.8.8.8:53 98.204.168.120.in-addr.arpa udp
US 8.8.8.8:53 249.194.177.32.in-addr.arpa udp
US 8.8.8.8:53 217.250.188.161.in-addr.arpa udp
US 8.8.8.8:53 18.9.206.107.in-addr.arpa udp
US 8.8.8.8:53 59.26.23.205.in-addr.arpa udp
US 8.8.8.8:53 180.90.152.4.in-addr.arpa udp
US 8.8.8.8:53 60.28.7.40.in-addr.arpa udp
US 8.8.8.8:53 24.248.214.207.in-addr.arpa udp
US 8.8.8.8:53 195.136.237.28.in-addr.arpa udp
US 8.8.8.8:53 56.96.183.52.in-addr.arpa udp
US 8.8.8.8:53 130.144.68.130.in-addr.arpa udp
US 8.8.8.8:53 207.197.197.5.in-addr.arpa udp
US 8.8.8.8:53 113.202.50.71.in-addr.arpa udp
US 8.8.8.8:53 95.71.77.61.in-addr.arpa udp

Files

memory/2824-0-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\xxx nude hidden traffic (Liz).zip.exe

MD5 a91b962a08ba061f0e58821780a6e872
SHA1 4f09afeaf42f53005cd8bad08217d5dea5eba83a
SHA256 5af5d0e87d8a5c0fe64b1684440a1b8b93421b532ab05bb15b0aa77954b64d14
SHA512 7659e51f031ebc3fd1228686fa9481c6969ee9fee8dd717e5debb1e9e46bcdb0f261a8c8cdafb31892c02d3efdf23a4a07304f95a19c78255de460f582acc9b2

memory/2824-54-0x0000000004A80000-0x0000000004A9E000-memory.dmp

memory/2720-55-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2720-90-0x0000000004CD0000-0x0000000004CEE000-memory.dmp

memory/2796-91-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-93-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2720-96-0x0000000000400000-0x000000000041E000-memory.dmp

C:\debug.txt

MD5 cb89894aef935149396880e4bb0c257f
SHA1 29beda90452a867122654b09d0e00f35504575f5
SHA256 eeda800099b87f04a262602d615fa49516515b1697405982c8cc3f6130df7d85
SHA512 a750e423892536b9ad5f698f05caffd01c28f285fbb71fa86af290f529838e4a90ff964e6a6a858ef879c75e42cfe753c1471d91c59f011d1228ac59e2e64e3c

memory/2796-105-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-106-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-107-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-109-0x0000000004A80000-0x0000000004A9E000-memory.dmp

memory/2720-110-0x0000000004CD0000-0x0000000004CEE000-memory.dmp

memory/2824-112-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-115-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-118-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-123-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-126-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-129-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-132-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-135-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-138-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-141-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-144-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2824-147-0x0000000000400000-0x000000000041E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:55

Reported

2024-04-06 21:59

Platform

win10v2004-20240226-en

Max time kernel

164s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lingerie [bangbus] .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\trambling girls .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\System32\DriverStore\Temp\xxx full movie traffic .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\american porn xxx licking hotel (Anniston,Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\american beastiality sperm catfight glans castration (Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\russian porn xxx hidden YEâPSè& .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\danish kicking gay [milf] .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\tyrkish handjob sperm [free] 40+ .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\horse lesbian .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\tyrkish beastiality fucking masturbation femdom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\indian horse trambling hot (!) .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\american horse trambling girls (Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\lingerie public .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\bukkake [milf] swallow .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\japanese nude blowjob licking .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\russian handjob bukkake hot (!) cock wifey (Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\trambling hot (!) titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\swedish kicking lingerie uncut .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\russian fetish blowjob full movie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\lesbian public titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\fucking licking (Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\japanese horse blowjob [free] feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files\dotnet\shared\brasilian beastiality beast sleeping titts femdom (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\cum trambling licking cock gorgeoushorny .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\american fetish bukkake hidden penetration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Google\Temp\american horse hardcore several models glans bedroom .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\hardcore lesbian balls .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\russian beastiality sperm licking cock wifey .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\gay licking feet granny (Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\indian porn xxx [free] femdom .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\indian action horse several models gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\japanese porn sperm public glans traffic (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\russian handjob xxx hot (!) (Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\horse girls mature .zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\Downloaded Program Files\indian cumshot horse masturbation latex .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\sperm hidden feet ¤ç (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\russian animal hardcore uncut feet ΋ (Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\british sperm sleeping titts .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\spanish hardcore big cock (Ashley,Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\tyrkish action fucking lesbian shoes .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\german horse [milf] glans .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\asian blowjob girls feet .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\security\templates\danish porn hardcore [bangbus] ejaculation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\indian cumshot beast full movie sm .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SoftwareDistribution\Download\lingerie masturbation hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\american kicking beast public feet redhair (Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\black horse hardcore sleeping cock (Ashley,Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\brasilian animal xxx several models bedroom .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\german lingerie full movie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\PLA\Templates\gay uncut feet beautyfull .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\norwegian lingerie [milf] (Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\danish action gay public traffic .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\japanese porn horse voyeur titts .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\brasilian cum gay hidden blondie .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\chinese blowjob hot (!) redhair .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\lesbian sleeping feet traffic (Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\canadian beast [free] fishy .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\asian gay full movie feet sm (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\horse masturbation blondie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\malaysia trambling [bangbus] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\nude lingerie big glans femdom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\beastiality beast [free] circumcision .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\trambling [milf] titts .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\kicking lingerie girls gorgeoushorny .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\indian handjob beast [bangbus] glans .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\american animal xxx girls latex .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\french fucking lesbian .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\gay big circumcision .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\italian cumshot blowjob [free] (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\tmp\trambling several models cock (Sonja,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\CbsTemp\tyrkish kicking sperm several models .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\black beastiality horse public feet young (Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\swedish nude trambling catfight (Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\chinese bukkake catfight hole .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\cum xxx [milf] (Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\animal gay sleeping glans Ôï .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\tyrkish action horse [milf] titts fishy .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\lingerie girls glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\xxx big glans redhair .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\german blowjob full movie (Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\british horse [milf] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\gang bang xxx catfight hole gorgeoushorny .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\brasilian gang bang lingerie full movie titts pregnant .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\fucking full movie leather .rar.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\italian beastiality blowjob hot (!) .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\lesbian girls hotel (Sonja,Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\blowjob catfight .mpeg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\horse fucking voyeur shoes .mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\assembly\temp\japanese cumshot xxx public boots .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\russian cumshot horse catfight (Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\beastiality sperm several models (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\italian cumshot bukkake [free] bondage .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\canadian lingerie public mistress .avi.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3204 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 3204 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 3204 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 3204 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 3204 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 3204 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 2488 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 2488 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe
PID 2488 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe

"C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe"

C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe

"C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe"

C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe

"C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe"

C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe

"C:\Users\Admin\AppData\Local\Temp\69a01a503edbf8c251c09e0ee928547aff40eb6751ef0fea3c69b88d2bbda325.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

memory/3204-0-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\japanese nude blowjob licking .avi.exe

MD5 a0b1a631f61fa240432fc51d95b23bda
SHA1 55b79d42584b3e1ff7ddbd33787a6e33196b5a03
SHA256 b78c59846c041aa8776a000d83eb79841e1bab4d918a12206e82dab6ebd45ad6
SHA512 f0d96cf265a6c4b8fcb6db14faab29388c47b8fe968b27d1e605481f9bbd65b4d83e0b9b4d8c14dd5b8d52530de54b1ef85643342b7e272972d0c71dbe9ddc07

memory/2488-11-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3016-17-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3204-18-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2488-34-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3016-70-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2940-71-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3204-75-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3204-76-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3204-159-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3204-164-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3204-168-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3204-188-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3204-209-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3204-213-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3204-217-0x0000000000400000-0x000000000041E000-memory.dmp