Malware Analysis Report

2024-11-30 02:37

Sample ID 240407-wx953sbb63
Target 06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933
SHA256 06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933
Tags
persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933

Threat Level: Known bad

The file 06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933 was found to be: Known bad.

Malicious Activity Summary

persistence spyware stealer

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX dump on OEP (original entry point)

Reads user/profile data of web browsers

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:19

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:19

Reported

2024-04-07 18:21

Platform

win7-20240221-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\sperm public shoes (Ashley,Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\british sperm uncut cock boots .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\IME\shared\fucking public titts sm .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\russian porn bukkake hidden .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\swedish beastiality hardcore [bangbus] hole 40+ .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\danish animal lesbian catfight fishy .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\xxx [milf] titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\indian cumshot lesbian hot (!) black hairunshaved .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\IME\shared\danish porn gay several models wifey .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\blowjob licking 50+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\russian nude hardcore sleeping glans circumcision .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\american gang bang lesbian [bangbus] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\xxx lesbian shoes .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\fucking [milf] leather .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Google\Temp\russian kicking lesbian sleeping feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\xxx uncut bedroom .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\beast [milf] girly .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\lesbian licking castration .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files\DVD Maker\Shared\russian kicking fucking licking 40+ .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files\Windows Journal\Templates\danish gang bang beast licking cock 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\black gang bang sperm sleeping .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\fucking voyeur hotel .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\tyrkish cumshot lingerie sleeping .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\swedish fetish sperm full movie hole castration .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\black gang bang blowjob hidden (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\russian cumshot xxx [milf] .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\bukkake licking titts .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\brasilian beastiality gay sleeping pregnant (Sandy,Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\black nude xxx [free] glans .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\german horse lesbian leather .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\tyrkish handjob lingerie full movie .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\Downloaded Program Files\blowjob hot (!) shower .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\cum fucking several models (Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\lingerie public glans ìï .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\PLA\Templates\fucking sleeping feet (Ashley,Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\asian lingerie full movie titts circumcision .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\norwegian lesbian hidden (Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\african blowjob girls wifey (Jenna,Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\fucking uncut sm .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\british lingerie [milf] glans mistress (Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\russian action lingerie [milf] ejaculation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\spanish sperm lesbian (Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\malaysia beast licking titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\trambling full movie hole mature .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\norwegian horse sleeping hole black hairunshaved .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\blowjob girls (Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\lesbian public castration .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\tyrkish horse gay lesbian glans young .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\fetish blowjob full movie fishy .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\asian lingerie sleeping blondie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\swedish beastiality trambling big titts traffic .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\tyrkish cumshot fucking [milf] feet stockings (Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\norwegian hardcore lesbian granny .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\american action blowjob public .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\norwegian xxx uncut (Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\beastiality blowjob uncut cock .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\norwegian lesbian [free] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\hardcore big hotel (Gina,Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\brasilian animal lingerie licking (Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\french horse hidden ash .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\german lesbian several models cock latex (Karin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\action lingerie public cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\danish gang bang xxx public (Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\italian fetish horse big ash .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\assembly\tmp\horse girls feet penetration .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\black fetish xxx catfight young .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\japanese gang bang lingerie hot (!) granny .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\american action beast sleeping titts shoes .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\action gay sleeping hole .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\Temp\lesbian [bangbus] stockings .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\spanish blowjob full movie (Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\porn trambling full movie shoes .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\danish horse blowjob public glans ash .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\canadian sperm masturbation sweet .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\assembly\temp\danish handjob lesbian big girly .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\kicking sperm [free] wifey .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\spanish xxx voyeur circumcision (Sonja,Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\fucking licking black hairunshaved .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\swedish fetish blowjob big cock redhair (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\canadian lingerie hidden glans girly .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\gay girls titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\lesbian big (Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\brasilian horse trambling [milf] .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\russian gang bang hardcore licking titts .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\malaysia lesbian public .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\french lingerie catfight .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\british beast [bangbus] .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_b7f38afb92de484f\kicking lesbian catfight mature .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\sperm public glans 40+ .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 1736 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 1736 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 1736 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 2144 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 2144 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 2144 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 2144 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 1736 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 1736 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 1736 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 1736 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe

"C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe"

C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe

"C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe"

C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe

"C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe"

C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe

"C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 157.49.133.218.in-addr.arpa udp
US 8.8.8.8:53 122.206.74.29.in-addr.arpa udp
US 8.8.8.8:53 194.109.235.118.in-addr.arpa udp
US 8.8.8.8:53 110.121.56.158.in-addr.arpa udp
US 8.8.8.8:53 103.220.229.138.in-addr.arpa udp
US 8.8.8.8:53 130.124.32.95.in-addr.arpa udp
US 8.8.8.8:53 23.50.222.212.in-addr.arpa udp
US 8.8.8.8:53 68.72.81.32.in-addr.arpa udp
US 8.8.8.8:53 176.247.210.69.in-addr.arpa udp
US 8.8.8.8:53 149.145.168.69.in-addr.arpa udp
US 8.8.8.8:53 194.142.124.8.in-addr.arpa udp
US 8.8.8.8:53 105.214.26.180.in-addr.arpa udp
US 8.8.8.8:53 130.134.128.49.in-addr.arpa udp
US 8.8.8.8:53 248.221.18.2.in-addr.arpa udp
US 8.8.8.8:53 93.86.143.208.in-addr.arpa udp
US 8.8.8.8:53 127.151.96.242.in-addr.arpa udp
US 8.8.8.8:53 144.220.131.26.in-addr.arpa udp
US 8.8.8.8:53 112.180.136.10.in-addr.arpa udp
US 8.8.8.8:53 17.145.62.21.in-addr.arpa udp
US 8.8.8.8:53 165.243.34.36.in-addr.arpa udp
US 8.8.8.8:53 178.115.254.218.in-addr.arpa udp
US 8.8.8.8:53 142.116.114.192.in-addr.arpa udp

Files

memory/1736-0-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\tyrkish cumshot lingerie sleeping .zip.exe

MD5 a7c3d83ae4b1c82290acae3a4a0cefc7
SHA1 8e90e0fb222e3da0475bb90938e81e161f8965a0
SHA256 a552a8dd576fa36714256c59bf36ef288b18193a8580d2c4df9ff7c1ef7fc856
SHA512 0b5b3a603dfd10344e269be291fa0472b41e1415723401694fc79d2d794ff0c8fcab18092bbd6a7c47672d920fcdf64211c53ffff54779ede889a4203b7510ec

memory/1736-13-0x0000000004E10000-0x0000000004E2C000-memory.dmp

memory/2144-61-0x0000000001E80000-0x0000000001E9C000-memory.dmp

memory/2484-62-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2436-63-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-64-0x0000000004F90000-0x0000000004FAC000-memory.dmp

memory/1736-89-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2144-90-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2436-92-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-93-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-94-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-95-0x0000000004E10000-0x0000000004E2C000-memory.dmp

memory/2144-98-0x0000000001E80000-0x0000000001E9C000-memory.dmp

memory/1736-101-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-115-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-119-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-123-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-127-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-131-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-137-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-141-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-145-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-149-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-153-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-157-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:19

Reported

2024-04-07 18:21

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\lingerie hardcore full movie castration .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\german action xxx big lady .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\danish trambling [milf] femdom (Gina).mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\horse bukkake masturbation hairy (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\sperm licking .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\german horse big .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\indian kicking masturbation vagina (Samantha,Gina).avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\swedish cumshot handjob public (Sandy,Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\cumshot [milf] ash YEâPSè& .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\System32\DriverStore\Temp\russian lesbian hidden gorgeoushorny .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lingerie catfight legs .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\action [milf] (Ashley).mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\swedish lesbian kicking hidden (Melissa,Ashley).rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\norwegian cumshot blowjob uncut black hairunshaved .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\brasilian handjob blowjob uncut mature .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Google\Temp\beastiality uncut swallow .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\brasilian xxx fucking catfight bedroom .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\animal hot (!) ash hairy .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\action nude hidden .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\beast [milf] titts blondie .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files\Common Files\microsoft shared\chinese cumshot [milf] vagina shoes (Ashley,Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\german action girls blondie .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\kicking gang bang [bangbus] .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\spanish handjob lesbian uncut beautyfull (Curtney,Sarah).mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\british lesbian trambling [free] sm (Sonja,Christine).mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\american trambling public hotel (Ashley).rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\african gay xxx hidden (Sonja).mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\trambling voyeur granny .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\canadian hardcore licking (Ashley).zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\cum nude public bedroom (Anniston).mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\action uncut .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\japanese fucking full movie sweet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\french lingerie fetish [milf] castration (Jenna).mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\trambling gay sleeping bedroom .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\horse hardcore masturbation balls .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\brasilian fucking cum [free] gorgeoushorny .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\cum xxx sleeping glans shower .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\beast [milf] mistress .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\indian animal lesbian (Britney,Kathrin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\bukkake kicking girls bondage .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\canadian gay fetish uncut sweet .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\CbsTemp\beast [bangbus] (Christine,Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\indian bukkake uncut .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\american gay xxx sleeping ejaculation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\xxx public shower (Kathrin,Sandy).mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\blowjob hidden nipples .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\lesbian [free] .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\african blowjob handjob hot (!) ash .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\british horse sleeping ash .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\lesbian masturbation ejaculation .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\russian sperm catfight black hairunshaved (Sandy).mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\trambling masturbation titts 50+ .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-_dataoraclec.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_3b8d4dacc2ea6b71\malaysia bukkake girls cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\black horse [free] (Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\american horse public nipples sweet (Sarah,Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\swedish gang bang hot (!) .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\brasilian gay xxx hot (!) sm .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\indian lesbian public bedroom .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\malaysia action public (Kathrin,Gina).zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\black animal porn girls shoes .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\gang bang hidden .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a80ce63d483fe70\sperm girls leather .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\canadian hardcore beastiality [bangbus] boobs 40+ (Christine).avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\beastiality [free] glans bedroom .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\fetish nude girls cock .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\gang bang uncut latex .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\british lingerie public (Jenna,Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\gang bang public YEâPSè& .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\indian action public .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\hardcore gay public ash .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\blowjob handjob hot (!) (Jenna).mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\porn lesbian boobs swallow (Britney,Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\cum lesbian (Gina,Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\PLA\Templates\american lesbian animal licking glans stockings .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_21122d7205c6f5b9\chinese xxx gang bang masturbation vagina leather (Kathrin,Anniston).avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\horse lingerie full movie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\fucking full movie sweet .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\blowjob xxx full movie cock .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\african cum public ash .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\chinese horse hidden .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\xxx lesbian hidden ejaculation .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_833abdc06c68d338\fetish lingerie voyeur wifey .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\italian fetish porn hot (!) blondie (Christine).mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\porn [milf] (Jenna,Sandy).mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\tyrkish animal voyeur sm .rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\xxx fetish voyeur legs .zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\cumshot beast lesbian beautyfull (Curtney,Anniston).rar.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\american animal animal [free] .avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\swedish beastiality [milf] latex .mpeg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\norwegian porn fetish masturbation wifey .mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.746_none_292c449ed2edefa3\black bukkake lesbian nipples swallow (Kathrin,Gina).zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\handjob action catfight (Gina).mpg.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\assembly\tmp\kicking hardcore hidden (Jenna,Kathrin).zip.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\kicking hidden glans (Sonja,Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4584 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 4584 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 4584 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 4584 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 4584 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 4584 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 2892 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 2892 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe
PID 2892 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe

"C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe"

C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe

"C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe"

C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe

"C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe"

C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe

"C:\Users\Admin\AppData\Local\Temp\06bc4562cc0ff8934c4fb6c249ee297a1859125d9d04829a6232cc62e4118933.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 103.132.205.189.in-addr.arpa udp
US 8.8.8.8:53 75.82.164.112.in-addr.arpa udp
US 8.8.8.8:53 246.60.70.67.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 176.253.75.219.in-addr.arpa udp
US 8.8.8.8:53 105.177.192.55.in-addr.arpa udp
US 8.8.8.8:53 51.253.220.147.in-addr.arpa udp
US 8.8.8.8:53 144.234.227.207.in-addr.arpa udp
US 8.8.8.8:53 188.120.195.178.in-addr.arpa udp
US 8.8.8.8:53 164.254.150.179.in-addr.arpa udp
US 8.8.8.8:53 221.173.53.26.in-addr.arpa udp
US 8.8.8.8:53 93.122.18.21.in-addr.arpa udp
US 8.8.8.8:53 147.129.71.71.in-addr.arpa udp
US 8.8.8.8:53 218.17.3.182.in-addr.arpa udp
US 8.8.8.8:53 68.239.69.183.in-addr.arpa udp
US 8.8.8.8:53 113.97.101.118.in-addr.arpa udp
US 8.8.8.8:53 204.97.197.147.in-addr.arpa udp
US 8.8.8.8:53 106.126.17.149.in-addr.arpa udp
US 8.8.8.8:53 207.109.202.48.in-addr.arpa udp
US 8.8.8.8:53 252.64.250.29.in-addr.arpa udp
US 8.8.8.8:53 39.67.145.171.in-addr.arpa udp
US 8.8.8.8:53 165.60.198.82.in-addr.arpa udp
US 8.8.8.8:53 48.199.246.14.in-addr.arpa udp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp
US 8.8.8.8:53 144.214.217.28.in-addr.arpa udp
US 8.8.8.8:53 159.205.207.138.in-addr.arpa udp

Files

memory/4584-0-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\american trambling public hotel (Ashley).rar.exe

MD5 c8280e3db8d02b6d2f472b682543a5c3
SHA1 142d4f1ab4c90ea3027a148fa806a00cb8f4aff0
SHA256 a5c124e7629f616ceee1e14518208a6475009aaead736699a8f69c556a479409
SHA512 9c01e1989c5731872462489a84d85f37daacc726614b27d66835ded0d67ea064a979448ad6d2024e23a5878583534897bc9f3e6b0c7930419c7893cdd41e6b2d

memory/2512-56-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4584-149-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2892-150-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2100-186-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2512-187-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4584-188-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4584-189-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4584-197-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4584-201-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4584-205-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4584-209-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4584-214-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4584-220-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4584-234-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4584-239-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4584-243-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4584-247-0x0000000000400000-0x000000000041C000-memory.dmp