Malware Analysis Report

2025-03-14 22:57

Sample ID 240406-3selyafc39
Target 9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18
SHA256 9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18

Threat Level: Known bad

The file 9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18 was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

Checks computer location settings

Reads user/profile data of web browsers

UPX packed file

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:46

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:46

Reported

2024-04-06 23:48

Platform

win7-20240220-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\malaysia xxx sperm [free] shoes .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\malaysia cumshot kicking public .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\spanish porn animal hot (!) (Liz,Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\IME\shared\danish horse hidden .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\asian gang bang hot (!) gorgeoushorny (Sylvia,Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\System32\DriverStore\Temp\blowjob cumshot public .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\italian lesbian hardcore full movie glans .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\IME\shared\blowjob public hole shoes .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\italian kicking lingerie hot (!) castration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\chinese porn xxx several models hole (Sonja).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\black gay sleeping glans wifey .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files\Windows Journal\Templates\german horse cum girls shower (Jenna,Jenna).mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\xxx hidden legs 50+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\indian trambling bukkake catfight sweet .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\chinese cumshot full movie .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\brasilian fetish handjob voyeur .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\russian trambling uncut feet shoes .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\canadian horse [free] .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\italian nude lingerie lesbian .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Google\Temp\german beast kicking lesbian traffic (Janette,Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\brasilian action trambling masturbation beautyfull (Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\action cum hidden bedroom .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\fucking catfight (Ashley,Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files\DVD Maker\Shared\lesbian gay public cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\japanese horse several models nipples traffic (Christine,Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\beastiality big .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\spanish cumshot fetish public high heels .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\brasilian beast handjob voyeur legs .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\italian cum gang bang uncut (Tatjana,Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\beastiality fetish girls feet hairy .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\tyrkish fucking hardcore voyeur nipples (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\hardcore voyeur beautyfull .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\canadian kicking porn girls (Kathrin).zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\asian sperm hardcore catfight .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\action beastiality public 50+ .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\british beast sperm [bangbus] (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\porn voyeur .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\beastiality handjob hidden sm .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\french handjob porn several models (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\swedish porn [free] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\french fucking handjob catfight 40+ .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\fucking lesbian bondage .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\brasilian blowjob horse voyeur (Melissa,Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\handjob kicking public cock redhair .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian beast lesbian hidden young .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\trambling cumshot lesbian hairy .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\hardcore public cock 40+ (Gina,Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\chinese action cum hidden 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\japanese porn gang bang uncut YEâPSè& (Britney,Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\lingerie big ejaculation (Jenna).avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\chinese cum masturbation wifey .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\sperm [free] titts circumcision .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\nude handjob [bangbus] balls (Sonja).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\danish gay big bedroom (Karin,Ashley).mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\fucking uncut sweet .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\brasilian kicking animal hidden (Britney).zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\canadian horse [free] .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\italian animal hidden penetration .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\hardcore lesbian several models .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\italian animal fetish full movie legs femdom .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\fetish [free] .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\german beast hardcore public .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\italian kicking gang bang licking .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\italian horse full movie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\lingerie cumshot several models upskirt .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\italian bukkake action voyeur hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\Downloaded Program Files\asian hardcore kicking full movie .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\chinese lingerie several models beautyfull .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\security\templates\swedish hardcore cum licking mistress (Janette,Ashley).mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\african hardcore public blondie (Jade,Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\sperm big .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\black handjob nude masturbation (Christine,Kathrin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\handjob fetish hidden shoes .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\german gay nude hot (!) fishy (Sonja,Sonja).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\brasilian cum licking .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\cumshot lesbian several models .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\american lingerie lesbian penetration .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\spanish beast hot (!) circumcision .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\japanese sperm beastiality several models bondage .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\russian trambling lesbian bedroom (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\gay beastiality hidden glans girly (Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\malaysia beastiality licking cock .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\danish gay [free] upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\blowjob blowjob voyeur granny (Sandy).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\xxx [bangbus] titts castration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\nude hardcore masturbation hairy .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\horse cum licking glans 50+ (Sonja,Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\spanish sperm masturbation .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 2372 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 2372 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 2372 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 2608 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 2608 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 2608 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 2608 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe

"C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe"

C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe

"C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe"

C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe

"C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 253.7.88.124.in-addr.arpa udp
US 8.8.8.8:53 230.9.220.164.in-addr.arpa udp
US 8.8.8.8:53 119.178.221.203.in-addr.arpa udp
US 8.8.8.8:53 163.32.187.216.in-addr.arpa udp
US 8.8.8.8:53 231.104.110.122.in-addr.arpa udp
US 8.8.8.8:53 212.190.111.251.in-addr.arpa udp
US 8.8.8.8:53 65.241.108.220.in-addr.arpa udp
US 8.8.8.8:53 244.86.114.69.in-addr.arpa udp
US 8.8.8.8:53 163.223.187.53.in-addr.arpa udp
US 8.8.8.8:53 135.228.201.159.in-addr.arpa udp
US 8.8.8.8:53 227.206.75.96.in-addr.arpa udp
US 8.8.8.8:53 69.239.237.171.in-addr.arpa udp
US 8.8.8.8:53 134.113.150.3.in-addr.arpa udp
US 8.8.8.8:53 209.73.64.144.in-addr.arpa udp
US 8.8.8.8:53 249.13.79.55.in-addr.arpa udp
US 8.8.8.8:53 130.203.22.68.in-addr.arpa udp
US 8.8.8.8:53 143.25.92.51.in-addr.arpa udp
US 8.8.8.8:53 83.194.209.85.in-addr.arpa udp
US 8.8.8.8:53 89.214.209.4.in-addr.arpa udp
US 8.8.8.8:53 243.145.26.199.in-addr.arpa udp
US 8.8.8.8:53 145.202.18.169.in-addr.arpa udp
US 8.8.8.8:53 234.161.89.181.in-addr.arpa udp
US 8.8.8.8:53 38.37.224.72.in-addr.arpa udp
US 8.8.8.8:53 19.54.110.64.in-addr.arpa udp
US 8.8.8.8:53 104.120.20.113.in-addr.arpa udp
US 8.8.8.8:53 192.28.13.83.in-addr.arpa udp
US 8.8.8.8:53 131.81.177.127.in-addr.arpa udp
US 8.8.8.8:53 232.95.187.10.in-addr.arpa udp

Files

memory/2372-0-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\chinese cumshot full movie .rar.exe

MD5 9e5519a482aea15426dca86db265b7f0
SHA1 69e9de45ef2604980dfe6179bce35ef821c67344
SHA256 f989149e4a50b6929efed2929ddce7d2abd7c04a63e33dd96f220edd5806e365
SHA512 727ee9544d2551933abf35c7415eb2f1cd88d687b32895c29e5d4656623045df4258fb0457f995042bb65856879121ef57adc7edc3b710b6793704321a6088f6

memory/2372-65-0x0000000005190000-0x00000000051B1000-memory.dmp

memory/2608-66-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2608-90-0x0000000004590000-0x00000000045B1000-memory.dmp

memory/2480-91-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2372-108-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2372-110-0x0000000005190000-0x00000000051B1000-memory.dmp

memory/2608-111-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2608-112-0x0000000004590000-0x00000000045B1000-memory.dmp

memory/2480-113-0x0000000000400000-0x0000000000421000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:46

Reported

2024-04-06 23:48

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\swedish nude blowjob [bangbus] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\lesbian sleeping swallow .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\black animal lingerie catfight shoes .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\System32\DriverStore\Temp\sperm [bangbus] (Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\italian kicking horse big blondie .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\lingerie [milf] stockings .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black gang bang horse voyeur redhair .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\fucking hot (!) .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\tyrkish cum hardcore [bangbus] mistress .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\fucking uncut granny (Anniston,Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\gang bang sperm catfight cock ejaculation .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\black gang bang xxx girls circumcision .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Templates\black fetish hardcore big (Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\russian fetish lingerie catfight gorgeoushorny .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\malaysia blowjob hidden hole .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\tyrkish porn lingerie voyeur glans sweet .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Google\Temp\sperm several models (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\danish gang bang beast licking .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files\Common Files\microsoft shared\swedish beastiality gay full movie glans girly .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish action lingerie licking glans high heels .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\beast masturbation cock ash .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\italian fetish lesbian voyeur hole balls .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\black horse horse girls upskirt .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\hardcore big ash .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\brasilian handjob horse [free] hole girly (Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files\dotnet\shared\japanese porn lesbian hidden hole lady (Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\blowjob [bangbus] titts (Sonja,Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\brasilian kicking fucking catfight castration .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\russian fetish lingerie hot (!) high heels (Britney,Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\swedish nude horse lesbian cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\nude fucking full movie 50+ .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca03036af4a5017e\american nude beast lesbian glans (Jenna,Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\chinese lingerie [milf] (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\tyrkish handjob lingerie uncut (Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\brasilian cum xxx uncut .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\xxx catfight pregnant .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\french lingerie girls wifey .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\beastiality hardcore masturbation .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\SoftwareDistribution\Download\brasilian action lesbian sleeping YEâPSè& .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\french xxx hidden swallow (Sonja,Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\porn horse lesbian .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\malaysia gay girls balls .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\canadian trambling voyeur glans black hairunshaved (Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\norwegian xxx uncut redhair .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\action beast [milf] .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\assembly\temp\bukkake masturbation glans bondage .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\italian beastiality lesbian [bangbus] glans hairy (Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\chinese horse voyeur titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\fetish gay licking (Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\french trambling uncut sm .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\norwegian fucking [free] cock sweet .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\malaysia lingerie masturbation (Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\japanese cum hardcore [free] .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\tyrkish handjob lingerie girls .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\indian nude xxx licking .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\beastiality hardcore full movie (Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\russian beastiality trambling sleeping balls .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\african bukkake several models swallow .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\british lingerie masturbation feet boots .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\canadian blowjob sleeping (Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\indian kicking gay hidden (Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\chinese gay hidden cock gorgeoushorny .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\kicking sperm several models hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\black gang bang lesbian catfight titts hairy .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\british lesbian hot (!) hole .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\swedish fetish lesbian voyeur cock latex .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\xxx voyeur .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\italian handjob xxx masturbation .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\horse fucking public boots .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\hardcore lesbian 50+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\Downloaded Program Files\fucking masturbation (Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\cum hardcore hot (!) titts swallow .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\fetish lesbian hot (!) .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\russian porn fucking [milf] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\nude lesbian hot (!) fishy .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\danish porn sperm [milf] cock .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\handjob horse girls hairy .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\bukkake hot (!) blondie (Kathrin,Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\british sperm sleeping .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\african gay licking (Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\american action hardcore hot (!) .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.746_none_292c449ed2edefa3\japanese beastiality blowjob girls wifey .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\horse xxx [free] hole .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\bukkake voyeur .mpg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\horse xxx hidden granny .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\handjob gay voyeur granny .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\russian beastiality hardcore several models hole traffic .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\french hardcore several models .avi.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_21122d7205c6f5b9\porn lingerie several models hairy .zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\beast masturbation titts .rar.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\chinese sperm big (Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\indian nude sperm girls hole (Christine,Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\horse gay catfight femdom (Ashley,Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 64 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 64 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 64 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 64 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 64 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 64 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 4476 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 4476 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe
PID 4476 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe

"C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe"

C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe

"C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe"

C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe

"C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe"

C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe

"C:\Users\Admin\AppData\Local\Temp\9cf3453b79ed713408eeb6e87e1af53a42d76ffc259c727139d0bc702a35df18.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 122.123.131.202.in-addr.arpa udp
US 8.8.8.8:53 193.127.107.82.in-addr.arpa udp
US 8.8.8.8:53 177.105.82.4.in-addr.arpa udp
US 8.8.8.8:53 41.6.182.44.in-addr.arpa udp
US 8.8.8.8:53 62.70.244.136.in-addr.arpa udp
US 8.8.8.8:53 242.139.32.180.in-addr.arpa udp
US 8.8.8.8:53 40.81.130.237.in-addr.arpa udp
US 8.8.8.8:53 191.1.124.235.in-addr.arpa udp
US 8.8.8.8:53 239.25.2.156.in-addr.arpa udp
US 8.8.8.8:53 91.83.123.120.in-addr.arpa udp
US 8.8.8.8:53 214.88.151.4.in-addr.arpa udp
US 8.8.8.8:53 97.56.16.137.in-addr.arpa udp
US 8.8.8.8:53 74.210.8.215.in-addr.arpa udp
US 8.8.8.8:53 157.7.66.73.in-addr.arpa udp
US 8.8.8.8:53 61.107.139.196.in-addr.arpa udp
US 8.8.8.8:53 238.144.51.16.in-addr.arpa udp
US 8.8.8.8:53 178.78.63.83.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 192.102.118.210.in-addr.arpa udp
US 8.8.8.8:53 129.123.38.14.in-addr.arpa udp
US 8.8.8.8:53 204.66.49.194.in-addr.arpa udp
US 8.8.8.8:53 174.169.148.172.in-addr.arpa udp
US 8.8.8.8:53 105.78.164.79.in-addr.arpa udp
US 8.8.8.8:53 85.244.28.69.in-addr.arpa udp
US 8.8.8.8:53 134.101.31.183.in-addr.arpa udp
US 8.8.8.8:53 126.49.182.31.in-addr.arpa udp
US 8.8.8.8:53 192.94.108.160.in-addr.arpa udp
US 8.8.8.8:53 213.45.42.73.in-addr.arpa udp
US 8.8.8.8:53 47.95.116.115.in-addr.arpa udp
US 8.8.8.8:53 43.38.96.191.in-addr.arpa udp
US 8.8.8.8:53 192.190.14.24.in-addr.arpa udp
US 8.8.8.8:53 119.193.215.251.in-addr.arpa udp
US 8.8.8.8:53 53.76.206.64.in-addr.arpa udp
US 8.8.8.8:53 195.246.235.125.in-addr.arpa udp
US 8.8.8.8:53 110.99.19.227.in-addr.arpa udp
US 8.8.8.8:53 103.135.251.148.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 201.107.67.41.in-addr.arpa udp
US 8.8.8.8:53 78.56.255.233.in-addr.arpa udp
US 8.8.8.8:53 192.89.248.102.in-addr.arpa udp
US 8.8.8.8:53 197.140.115.170.in-addr.arpa udp
US 8.8.8.8:53 234.26.91.185.in-addr.arpa udp
US 8.8.8.8:53 10.240.132.164.in-addr.arpa udp
US 8.8.8.8:53 66.211.170.70.in-addr.arpa udp
US 8.8.8.8:53 162.124.251.14.in-addr.arpa udp
US 8.8.8.8:53 128.247.237.9.in-addr.arpa udp
US 8.8.8.8:53 139.92.94.152.in-addr.arpa udp
US 8.8.8.8:53 97.103.245.119.in-addr.arpa udp
US 8.8.8.8:53 248.50.47.227.in-addr.arpa udp
US 8.8.8.8:53 156.173.102.110.in-addr.arpa udp
US 8.8.8.8:53 52.109.203.86.in-addr.arpa udp
US 8.8.8.8:53 13.155.106.88.in-addr.arpa udp
US 8.8.8.8:53 48.135.153.185.in-addr.arpa udp
US 8.8.8.8:53 232.32.158.144.in-addr.arpa udp
US 8.8.8.8:53 4.196.209.231.in-addr.arpa udp
US 8.8.8.8:53 104.142.145.17.in-addr.arpa udp
US 8.8.8.8:53 30.238.219.103.in-addr.arpa udp
US 8.8.8.8:53 41.29.229.100.in-addr.arpa udp
US 8.8.8.8:53 157.107.215.227.in-addr.arpa udp
US 8.8.8.8:53 40.85.246.145.in-addr.arpa udp
US 8.8.8.8:53 96.74.23.62.in-addr.arpa udp
US 8.8.8.8:53 52.158.180.5.in-addr.arpa udp
US 8.8.8.8:53 118.86.195.124.in-addr.arpa udp
US 8.8.8.8:53 233.6.93.125.in-addr.arpa udp
US 8.8.8.8:53 70.37.141.95.in-addr.arpa udp
US 8.8.8.8:53 214.165.110.59.in-addr.arpa udp
US 8.8.8.8:53 84.215.141.150.in-addr.arpa udp
US 8.8.8.8:53 64.200.179.34.in-addr.arpa udp
US 8.8.8.8:53 8.223.248.179.in-addr.arpa udp

Files

memory/64-0-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\tyrkish action lingerie licking glans high heels .zip.exe

MD5 16ddcd5448567e961872b518bbfbb8bc
SHA1 f879483b49b7a420aecdde9ce8b4eed33834b601
SHA256 b270d7538820cf0381a4ff07f8ff7721e1513572d3cf50683eacf29b21c6eaae
SHA512 ed2604f3e3dae0703621559848d79d40065fc3ecf1a5d444a2dd8a1f87645783b25b684ee3c1e2a35bd724576781ff3b45e9920b5af507dbb64c5edcc6002dd0

memory/4476-85-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4784-163-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3108-164-0x0000000000400000-0x0000000000421000-memory.dmp

memory/64-193-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4476-194-0x0000000000400000-0x0000000000421000-memory.dmp

memory/4784-196-0x0000000000400000-0x0000000000421000-memory.dmp

memory/3108-197-0x0000000000400000-0x0000000000421000-memory.dmp

C:\debug.txt

MD5 ce55335e847ff3f9eed91bd25c352bc4
SHA1 0d3d02306195a9f1e98613a1ea6306a09722c7f0
SHA256 99b037d7e2c2ded1db053dc114131f36fdf4c1003b2d89d35ea22564985b2f5e
SHA512 3365731432c31cddc79de5d2d33c568516685d2fe58abcb279e9221da363144c2f67d2c6adb9d784aefcf10c0ceca45820d25cbd35df7580cf19f2a530d205d4