Malware Analysis Report

2024-11-15 06:11

Sample ID 240407-3svm6aad49
Target 9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202
SHA256 9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202

Threat Level: Known bad

The file 9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202 was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

Reads user/profile data of web browsers

UPX packed file

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:47

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:47

Reported

2024-04-07 23:49

Platform

win7-20231129-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\horse [bangbus] hole .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\System32\DriverStore\Temp\gay hot (!) feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\fucking hidden glans (Kathrin,Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\IME\shared\italian horse bukkake full movie bondage .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\tyrkish handjob lingerie big .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\IME\shared\tyrkish beastiality sperm full movie 40+ .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\italian horse bukkake [milf] fishy .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\russian kicking trambling [free] .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\fucking [bangbus] bedroom (Sonja,Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\swedish nude horse catfight cock leather (Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Journal\Templates\hardcore several models mature .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\swedish cumshot bukkake uncut mistress .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\indian cum blowjob [bangbus] gorgeoushorny .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\tyrkish porn sperm hidden latex (Christine,Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\swedish horse bukkake several models feet high heels .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\indian cumshot blowjob girls feet circumcision .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Google\Temp\bukkake [milf] latex .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\indian cumshot lesbian masturbation feet balls .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\danish nude fucking uncut granny .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files\DVD Maker\Shared\lesbian girls (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\fucking hot (!) feet .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\italian cum horse public glans bedroom .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\hardcore hot (!) .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\black nude horse uncut .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\swedish kicking hardcore [free] traffic .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\tmp\fucking uncut feet mistress .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian action fucking catfight feet shower (Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\handjob blowjob several models .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\german lingerie girls glans mature .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\brasilian porn lesbian masturbation hole upskirt (Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\chinese beast uncut lady .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\gay masturbation feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\xxx [milf] shoes .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\nude horse public titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\african bukkake voyeur glans (Ashley,Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\beast big latex .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\black animal blowjob full movie fishy .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\hardcore catfight 50+ .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\asian lingerie hot (!) (Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\spanish trambling girls hairy .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\african lingerie lesbian cock latex .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\cumshot beast catfight hole .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\norwegian lesbian masturbation hole hotel (Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\french lingerie licking cock YEâPSè& (Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\italian nude trambling public penetration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\beast full movie .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\spanish trambling public traffic .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\swedish porn horse girls glans circumcision (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\assembly\temp\lesbian licking ash .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\porn xxx uncut .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\cumshot gay hidden glans (Christine,Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\horse trambling girls YEâPSè& .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\tyrkish beastiality beast hidden cock hotel .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\tyrkish porn beast [bangbus] (Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\british blowjob [milf] .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\sperm hot (!) sm .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\tyrkish horse blowjob public upskirt (Sandy,Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\porn lingerie public titts 40+ (Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\russian cum sperm several models .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\black horse lingerie [free] .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\porn sperm lesbian glans wifey .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\beastiality sperm [bangbus] latex .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\InstallTemp\chinese lesbian masturbation titts bondage .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\tyrkish cum beast [bangbus] cock bedroom (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\asian xxx public bondage .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\italian action lingerie full movie titts sweet .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\beast girls hole high heels .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\malaysia horse catfight .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\tyrkish horse bukkake several models feet .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\italian gang bang blowjob [milf] titts (Christine,Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\tyrkish handjob gay licking mistress (Christine,Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\japanese cum sperm several models pregnant .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\french horse [free] titts castration (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\indian fetish sperm girls titts leather (Karin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\spanish fucking big penetration .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\tyrkish kicking lesbian uncut hole high heels .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\gay voyeur glans balls .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\fucking big .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\Temp\trambling [bangbus] .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\british lingerie voyeur stockings .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\black handjob horse catfight hole YEâPSè& (Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\american cumshot bukkake catfight cock penetration .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\blowjob big black hairunshaved .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\hardcore masturbation 50+ (Sonja,Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\asian sperm girls hole leather .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\sperm [bangbus] shower .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\nude horse licking glans traffic .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SoftwareDistribution\Download\blowjob girls gorgeoushorny (Christine,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\german horse lesbian fishy .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 2316 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 2852 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 2852 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 2852 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 2852 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe

"C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe"

C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe

"C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe"

C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe

"C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 161.170.158.76.in-addr.arpa udp
US 8.8.8.8:53 241.101.251.209.in-addr.arpa udp
US 8.8.8.8:53 60.111.204.254.in-addr.arpa udp
US 8.8.8.8:53 209.234.186.118.in-addr.arpa udp
US 8.8.8.8:53 18.22.245.186.in-addr.arpa udp
US 8.8.8.8:53 197.17.192.42.in-addr.arpa udp
US 8.8.8.8:53 21.71.146.243.in-addr.arpa udp
US 8.8.8.8:53 11.93.121.58.in-addr.arpa udp
US 8.8.8.8:53 92.133.219.94.in-addr.arpa udp
US 8.8.8.8:53 209.223.191.56.in-addr.arpa udp
US 8.8.8.8:53 80.91.214.201.in-addr.arpa udp
US 8.8.8.8:53 142.184.38.83.in-addr.arpa udp
US 8.8.8.8:53 212.140.82.250.in-addr.arpa udp
US 8.8.8.8:53 60.111.98.50.in-addr.arpa udp
US 8.8.8.8:53 146.195.144.243.in-addr.arpa udp
US 8.8.8.8:53 9.63.7.76.in-addr.arpa udp
US 8.8.8.8:53 161.199.191.211.in-addr.arpa udp
US 8.8.8.8:53 111.23.167.229.in-addr.arpa udp
US 8.8.8.8:53 183.158.186.66.in-addr.arpa udp
US 8.8.8.8:53 37.228.148.162.in-addr.arpa udp
US 8.8.8.8:53 111.248.116.219.in-addr.arpa udp
US 8.8.8.8:53 181.208.124.110.in-addr.arpa udp
US 8.8.8.8:53 187.249.82.140.in-addr.arpa udp
US 8.8.8.8:53 24.80.228.3.in-addr.arpa udp
US 8.8.8.8:53 132.23.104.192.in-addr.arpa udp
US 8.8.8.8:53 226.198.5.175.in-addr.arpa udp
US 8.8.8.8:53 145.128.95.211.in-addr.arpa udp
US 8.8.8.8:53 35.63.225.162.in-addr.arpa udp

Files

memory/2316-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\black nude horse uncut .avi.exe

MD5 f11b82070f01225443e819384d88995e
SHA1 eee7915ba42371e0fdae56892c2cccaed85ffc78
SHA256 ed9dd8f22ae5dc1d236c9c63ee18fb649ab6d49d71e129a99e581a8052896e7c
SHA512 267a7fd55a46b6393fc5ecbbdb5c6f0a2bc68218ccd4495ef48ba8eed17255601f1a1194e27f6034f3e2b8bb48c3805370e2d7bd42cb0238c91701d23acde1fb

memory/2316-62-0x0000000004FE0000-0x0000000005009000-memory.dmp

memory/2852-63-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2852-87-0x0000000004F20000-0x0000000004F49000-memory.dmp

memory/1956-88-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:47

Reported

2024-04-07 23:49

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\beast hot (!) granny .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\american cum gay [free] glans high heels .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\brasilian action lesbian full movie titts femdom .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\gay hidden (Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\danish handjob lingerie sleeping .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\fucking catfight glans (Ashley,Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\russian kicking horse big black hairunshaved .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\black kicking xxx public .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\indian fetish fucking full movie hole .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\blowjob sleeping shoes .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\hardcore uncut hole fishy (Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\american nude bukkake hidden .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Microsoft Shared\american porn lesbian masturbation mistress .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\sperm full movie cock .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files\dotnet\shared\xxx [bangbus] .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\danish nude lesbian several models hole traffic .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\italian animal gay uncut latex .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\tyrkish gang bang lesbian hidden hole hairy .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\indian action blowjob voyeur black hairunshaved .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files\Common Files\microsoft shared\japanese handjob blowjob [bangbus] lady .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\fucking [milf] cock upskirt (Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\trambling big glans .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\black nude sperm lesbian penetration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Google\Temp\japanese cumshot lesbian masturbation bedroom (Sonja,Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\russian horse trambling big mistress (Anniston,Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\bukkake several models glans (Christine,Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\gay licking .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\japanese cum blowjob voyeur girly .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\american handjob gay lesbian hole .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\danish fetish fucking voyeur ash (Sonja,Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\black beastiality lingerie masturbation titts circumcision .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\PLA\Templates\beast [free] high heels .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\japanese gang bang beast [free] sm .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\norwegian beast voyeur latex .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\danish horse gay [milf] cock ash .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\russian cumshot horse uncut feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\american gang bang fucking sleeping (Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\norwegian gay girls .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\swedish action fucking sleeping feet shower (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\kicking trambling [bangbus] titts ash .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\british sperm catfight mistress .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\kicking fucking [bangbus] (Sarah).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\american cumshot lesbian lesbian .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\malaysia hardcore several models feet hairy (Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\lesbian lesbian 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\cum lesbian uncut feet .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\tyrkish kicking lingerie full movie mistress .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\french lesbian [milf] .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\horse [bangbus] .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\italian gang bang blowjob [milf] femdom .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\american nude trambling lesbian glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\russian cum lesbian hot (!) traffic .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\black horse fucking several models (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\african blowjob masturbation .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\swedish horse beast public circumcision .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\american porn fucking full movie (Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_en-us_64f5aaf4bb13ecef\asian gay hidden mistress .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_b201c2e68d8dbc0d\american fetish beast catfight .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\xxx hot (!) titts leather .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\lingerie hot (!) high heels .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\italian kicking sperm [free] (Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\horse horse sleeping latex (Jenna,Sarah).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\sperm lesbian shoes .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\french lesbian licking .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\spanish fucking hidden .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\trambling [free] upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\indian horse horse several models feet circumcision .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\brasilian horse beast [free] feet boots .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\nude beast sleeping titts shower .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\malaysia xxx lesbian ejaculation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\gang bang bukkake [bangbus] titts young .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\porn gay uncut swallow .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\lesbian hot (!) 40+ (Britney,Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\african lesbian sleeping cock 40+ (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\security\templates\indian handjob sperm [milf] .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\xxx big .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\handjob lingerie public .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\horse public ejaculation .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\american fetish gay public cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\chinese lesbian several models stockings .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\assembly\temp\blowjob catfight titts femdom (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\chinese xxx lesbian feet .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\chinese gay public .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\horse sperm sleeping granny .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\danish horse beast several models 50+ .rar.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\lingerie masturbation feet 50+ .avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\lingerie [free] .zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\canadian gay hot (!) cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\cum trambling lesbian hole wifey .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\japanese nude gay girls .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\african gay [milf] (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\sperm uncut titts upskirt .mpg.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\gang bang horse licking latex (Ashley,Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\norwegian beast catfight hole (Sonja,Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 2280 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 2280 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 1692 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 1692 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 1692 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 2280 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 2280 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe
PID 2280 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe

"C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe"

C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe

"C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe"

C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe

"C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe"

C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe

"C:\Users\Admin\AppData\Local\Temp\9abc124e6f1f0ee51e7d1e7fe273c698a541f392cb5864ddd786112cd3d3c202.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 212.169.150.203.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 4.183.99.222.in-addr.arpa udp
US 8.8.8.8:53 91.86.156.96.in-addr.arpa udp
US 8.8.8.8:53 214.179.141.106.in-addr.arpa udp
US 8.8.8.8:53 79.154.120.137.in-addr.arpa udp
US 8.8.8.8:53 56.69.207.100.in-addr.arpa udp
US 8.8.8.8:53 193.75.119.39.in-addr.arpa udp
US 8.8.8.8:53 33.186.234.122.in-addr.arpa udp
US 8.8.8.8:53 71.93.40.181.in-addr.arpa udp
US 8.8.8.8:53 12.96.213.112.in-addr.arpa udp
US 8.8.8.8:53 9.161.109.199.in-addr.arpa udp
US 8.8.8.8:53 44.10.104.41.in-addr.arpa udp
US 8.8.8.8:53 190.21.64.15.in-addr.arpa udp
US 8.8.8.8:53 150.63.122.218.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 46.75.129.69.in-addr.arpa udp
US 8.8.8.8:53 151.184.143.176.in-addr.arpa udp
US 8.8.8.8:53 144.189.90.224.in-addr.arpa udp
US 8.8.8.8:53 72.148.13.191.in-addr.arpa udp
US 8.8.8.8:53 132.133.124.186.in-addr.arpa udp
US 8.8.8.8:53 59.186.101.21.in-addr.arpa udp
US 8.8.8.8:53 176.85.60.255.in-addr.arpa udp
US 8.8.8.8:53 214.165.62.58.in-addr.arpa udp
US 8.8.8.8:53 202.15.149.36.in-addr.arpa udp
US 8.8.8.8:53 114.17.125.234.in-addr.arpa udp
US 8.8.8.8:53 52.66.213.107.in-addr.arpa udp
US 8.8.8.8:53 46.84.63.216.in-addr.arpa udp
US 8.8.8.8:53 54.40.98.175.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 81.135.185.253.in-addr.arpa udp
US 8.8.8.8:53 255.147.210.219.in-addr.arpa udp
US 8.8.8.8:53 98.14.100.146.in-addr.arpa udp
US 8.8.8.8:53 21.136.170.80.in-addr.arpa udp
US 8.8.8.8:53 194.31.119.7.in-addr.arpa udp
US 8.8.8.8:53 82.104.110.124.in-addr.arpa udp
US 8.8.8.8:53 130.179.54.96.in-addr.arpa udp
US 8.8.8.8:53 222.212.94.51.in-addr.arpa udp
US 8.8.8.8:53 63.243.32.133.in-addr.arpa udp
US 8.8.8.8:53 218.158.48.71.in-addr.arpa udp
US 8.8.8.8:53 255.41.171.143.in-addr.arpa udp
US 8.8.8.8:53 149.140.76.116.in-addr.arpa udp
US 8.8.8.8:53 251.75.49.123.in-addr.arpa udp
US 8.8.8.8:53 72.109.49.166.in-addr.arpa udp
US 8.8.8.8:53 246.255.16.119.in-addr.arpa udp
US 8.8.8.8:53 127.153.190.237.in-addr.arpa udp
US 8.8.8.8:53 110.174.193.170.in-addr.arpa udp
US 8.8.8.8:53 43.106.19.216.in-addr.arpa udp
US 8.8.8.8:53 172.7.246.132.in-addr.arpa udp
US 8.8.8.8:53 129.167.179.77.in-addr.arpa udp
US 8.8.8.8:53 80.44.182.136.in-addr.arpa udp
US 8.8.8.8:53 180.54.94.191.in-addr.arpa udp
US 8.8.8.8:53 14.230.9.135.in-addr.arpa udp
US 8.8.8.8:53 228.41.61.71.in-addr.arpa udp
US 8.8.8.8:53 181.193.155.186.in-addr.arpa udp
US 8.8.8.8:53 241.251.77.46.in-addr.arpa udp
US 8.8.8.8:53 205.79.161.91.in-addr.arpa udp
US 8.8.8.8:53 19.217.218.235.in-addr.arpa udp
US 8.8.8.8:53 120.113.46.152.in-addr.arpa udp
US 8.8.8.8:53 172.32.12.104.in-addr.arpa udp

Files

memory/2280-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\fucking [milf] cock upskirt (Melissa).rar.exe

MD5 dd0034bd96fd5785700bccfc8f1f61b3
SHA1 c5c253b9eea5822a26457baadafd4ec87a43732f
SHA256 c8d841e0bfe3e2d9e0d8b30dd9d93d0034702baac4d2f4356e645fffd52f0dc5
SHA512 5a150536fcf0a6e76a5538a79323595218ed052e096be46176c6012342e80c38eaf09f5e7c0b9648a617b69e5a160170563d766e8bf4ad283ada643e50a2fa75

memory/1692-96-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1412-168-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3092-170-0x0000000000400000-0x0000000000429000-memory.dmp