Malware Analysis Report

2024-11-15 06:07

Sample ID 240407-yb5pksch49
Target 29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce
SHA256 29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce

Threat Level: Known bad

The file 29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX dump on OEP (original entry point)

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:37

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:37

Reported

2024-04-07 19:40

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\beast lesbian gorgeoushorny (Kathrin,Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\nude xxx masturbation .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\IME\shared\american cum bukkake [milf] (Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\black handjob horse [milf] sm (Britney,Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\fucking big redhair .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\IME\shared\japanese cum gay several models .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\russian kicking lesbian big hotel .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish action lesbian lesbian cock circumcision .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\lesbian big .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\danish action hardcore full movie feet bondage (Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Temp\indian animal blowjob [bangbus] ìï .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\bukkake hot (!) (Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\brasilian gang bang fucking sleeping wifey (Sonja,Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\danish action bukkake masturbation glans upskirt (Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\beast masturbation (Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\lesbian masturbation upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\gay uncut glans girly .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\lingerie public .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\fucking hot (!) feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\horse voyeur YEâPSè& (Gina,Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files\Windows Journal\Templates\fucking uncut fishy (Ashley,Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\hardcore big ejaculation .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\american handjob xxx catfight feet shower .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files\DVD Maker\Shared\indian handjob fucking several models glans young .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\lesbian girls cock lady (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\danish horse lingerie hot (!) glans bondage (Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\italian fetish hardcore hot (!) .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\norwegian xxx several models titts (Anniston,Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\kicking beast masturbation cock swallow .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\porn hardcore licking hole shower .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\tyrkish cumshot blowjob [milf] (Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\bukkake masturbation glans gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\horse masturbation cock (Sonja,Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\french blowjob hot (!) hole shower .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\kicking blowjob uncut hole sm .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\gang bang lesbian [free] .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\african blowjob lesbian hole .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\porn lesbian full movie .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\blowjob [free] shower .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\norwegian sperm public titts ash (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ac16749b75335680\beast hidden cock balls .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\tyrkish fetish blowjob big feet traffic .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\Downloaded Program Files\tyrkish cum xxx hidden glans penetration (Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\blowjob voyeur hairy .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\swedish cumshot xxx catfight (Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\fucking masturbation .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\action xxx full movie castration .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\spanish xxx hot (!) cock mature (Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\brasilian animal lesbian hot (!) .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\norwegian fucking sleeping balls .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\gang bang lingerie uncut .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\Temp\bukkake voyeur ìï .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\blowjob licking (Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\cumshot bukkake [free] (Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\indian porn lingerie licking cock bondage .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\kicking hardcore hot (!) girly .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SoftwareDistribution\Download\indian kicking lesbian public bondage .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\canadian bukkake [milf] (Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\fetish lingerie big high heels .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\sperm hot (!) .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\cumshot lesbian hot (!) 40+ (Anniston,Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\asian xxx hot (!) (Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\horse sperm catfight (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\beastiality horse catfight shower .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\animal blowjob uncut feet .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\hardcore girls (Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\hardcore big titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\british fucking public boots (Sonja,Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\french beast several models .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\french beast several models (Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\danish porn lesbian [milf] (Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\beast public .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\beast uncut feet castration .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\handjob lesbian full movie castration (Christine,Samantha).rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\russian animal fucking several models glans 40+ (Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\trambling public cock blondie .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\brasilian porn horse sleeping upskirt .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\indian gang bang xxx hot (!) (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\tyrkish animal gay [milf] hole wifey .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\cum hardcore hot (!) redhair .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\african sperm [free] cock 50+ .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\italian nude sperm lesbian 40+ .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\asian trambling [milf] cock .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\japanese animal gay [free] (Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\horse uncut shoes (Anniston,Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\porn lingerie sleeping swallow .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\norwegian hardcore licking feet high heels .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\beastiality lingerie uncut .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 2972 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 2972 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 2972 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 2628 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 2628 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 2628 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 2628 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe

Processes

C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe

"C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe"

C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe

"C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe"

C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe

"C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 188.19.26.93.in-addr.arpa udp
US 8.8.8.8:53 218.238.64.164.in-addr.arpa udp
US 8.8.8.8:53 181.193.203.87.in-addr.arpa udp
US 8.8.8.8:53 220.38.38.51.in-addr.arpa udp
US 8.8.8.8:53 33.130.216.118.in-addr.arpa udp
US 8.8.8.8:53 71.254.154.73.in-addr.arpa udp
US 8.8.8.8:53 178.20.224.144.in-addr.arpa udp
US 8.8.8.8:53 164.203.163.152.in-addr.arpa udp
US 8.8.8.8:53 106.250.25.238.in-addr.arpa udp
US 8.8.8.8:53 215.61.147.165.in-addr.arpa udp
US 8.8.8.8:53 36.103.172.221.in-addr.arpa udp
US 8.8.8.8:53 229.30.242.177.in-addr.arpa udp
US 8.8.8.8:53 138.103.60.88.in-addr.arpa udp
US 8.8.8.8:53 114.230.24.196.in-addr.arpa udp
US 8.8.8.8:53 46.57.98.190.in-addr.arpa udp
US 8.8.8.8:53 216.136.169.239.in-addr.arpa udp
US 8.8.8.8:53 158.159.39.62.in-addr.arpa udp
US 8.8.8.8:53 195.182.88.152.in-addr.arpa udp
US 8.8.8.8:53 219.72.49.55.in-addr.arpa udp
US 8.8.8.8:53 29.166.112.55.in-addr.arpa udp
US 8.8.8.8:53 58.235.146.170.in-addr.arpa udp
US 8.8.8.8:53 65.155.249.60.in-addr.arpa udp

Files

memory/2972-0-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\gay uncut glans girly .rar.exe

MD5 f5892938fd202dced90123e3fb010f2e
SHA1 2fdefb61372e67b4ce4744a434e496173691d908
SHA256 34c243a6c50fec7bbe3f2af4e0771b4dcbd825e5cd3816d433227263797de846
SHA512 df95820ec89e0f460f5a00c176d729b6f9490c633d15b1d5e7c4a68d0decc9a10c3896172542a83f83a073397b5b1ce629f696741821fa35e9b063acdc536b85

memory/2628-15-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2628-55-0x00000000046C0000-0x00000000046DB000-memory.dmp

memory/1032-56-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-89-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2628-90-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1032-91-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-93-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-92-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-95-0x0000000004930000-0x000000000494B000-memory.dmp

memory/2628-98-0x00000000046C0000-0x00000000046DB000-memory.dmp

memory/2972-99-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-112-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-115-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-118-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-121-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-124-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-129-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-132-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-135-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-138-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-141-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2972-144-0x0000000000400000-0x000000000041B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:37

Reported

2024-04-07 19:40

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\japanese animal bukkake licking .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\xxx licking .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\american animal trambling several models balls .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\bukkake public mature .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\System32\DriverStore\Temp\japanese beastiality trambling masturbation glans .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\danish kicking bukkake catfight hole 50+ (Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\blowjob [milf] stockings (Kathrin,Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\brasilian fetish bukkake licking (Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\lingerie lesbian glans .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\lesbian [free] (Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\american nude lingerie licking cock .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\indian cum lingerie licking .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\black kicking fucking masturbation (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\russian porn hardcore sleeping .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\danish cumshot lingerie public hole .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\fucking full movie (Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\trambling sleeping .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Google\Temp\tyrkish beastiality lesbian sleeping .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\tyrkish fetish hardcore [milf] upskirt .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian action blowjob voyeur feet .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\tyrkish cumshot bukkake [free] traffic .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\indian nude fucking girls glans .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\hardcore girls gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\african lingerie voyeur feet bondage .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\italian handjob blowjob hot (!) hole redhair .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\russian gang bang beast [bangbus] stockings .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files\Common Files\microsoft shared\beast big shoes .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files\dotnet\shared\horse girls glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\italian animal xxx voyeur titts high heels (Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\brasilian handjob lingerie hot (!) titts shower (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\tyrkish action hardcore licking .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\porn fucking hidden feet mistress (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\action hardcore public glans .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\kicking blowjob uncut titts traffic (Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\italian horse xxx masturbation feet pregnant (Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\sperm big stockings (Christine,Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\american beastiality xxx lesbian .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\swedish action trambling [free] penetration .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\gay lesbian feet fishy .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\african sperm lesbian (Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\action beast full movie blondie .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\american action xxx big .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\security\templates\blowjob voyeur .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\cum lingerie uncut feet Ôï .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..mon-sharedresources_31bf3856ad364e35_10.0.19041.1_none_5417ea1f38dbb76b\beast public hole .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\asian blowjob full movie granny .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\blowjob sleeping hole leather .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\brasilian nude lesbian sleeping titts (Gina,Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\fucking voyeur sweet (Sandy,Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\kicking hardcore [milf] titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\cumshot hardcore girls latex .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\british xxx hidden cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\american nude horse catfight castration (Kathrin,Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\russian fetish lesbian [bangbus] glans swallow (Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\black porn xxx masturbation feet high heels (Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\cumshot bukkake big glans .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_07787dd7ae0cf4f6\asian beast several models high heels .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\canadian gay [milf] titts ejaculation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.746_none_292c449ed2edefa3\nude xxx voyeur shoes .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_b201c2e68d8dbc0d\indian horse sperm public titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\norwegian xxx masturbation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\french trambling [bangbus] hole .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\british xxx girls .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\german hardcore hidden hole castration .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\italian horse beast [free] girly .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\spanish hardcore sleeping stockings .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\fucking girls feet pregnant .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\gang bang gay full movie swallow (Britney,Karin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_7636d1cd418015c8\italian fetish bukkake [bangbus] feet femdom (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\russian handjob beast [bangbus] .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\fucking sleeping blondie .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\japanese gang bang gay public cock girly .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\canadian lesbian sleeping Ôï .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\indian cum blowjob [free] upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\indian horse horse hot (!) swallow .zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\asian blowjob girls titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\bukkake full movie lady .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\sperm [free] latex (Kathrin,Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\beastiality bukkake girls (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_551afa5edf8be30e\animal fucking sleeping 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_10.0.19041.1_none_77cfea69a421a4a1\norwegian xxx public glans .avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\danish nude lesbian masturbation cock upskirt .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\indian fetish lingerie licking glans .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\chinese fucking several models .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\fetish blowjob voyeur (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\lesbian uncut black hairunshaved (Sonja,Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\chinese blowjob hot (!) circumcision .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\beastiality lingerie [bangbus] glans boots (Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\french horse public feet fishy .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\Downloaded Program Files\xxx licking cock (Sonja,Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\blowjob catfight hole penetration (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\british blowjob sleeping lady .mpg.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\lesbian girls titts (Kathrin,Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\beast licking young .rar.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3496 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 3496 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 3496 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 3496 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 3496 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 3496 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 3164 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 3164 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe
PID 3164 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe

Processes

C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe

"C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe"

C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe

"C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe"

C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe

"C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe"

C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe

"C:\Users\Admin\AppData\Local\Temp\29770e57e49958333a04bc604f558bd4ff3f1edcf771eac41a09763f1c03efce.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 121.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 98.215.249.85.in-addr.arpa udp
US 8.8.8.8:53 30.164.27.163.in-addr.arpa udp
US 8.8.8.8:53 104.122.16.39.in-addr.arpa udp
US 8.8.8.8:53 11.112.119.99.in-addr.arpa udp
US 8.8.8.8:53 27.66.207.53.in-addr.arpa udp
US 8.8.8.8:53 19.21.11.182.in-addr.arpa udp
US 8.8.8.8:53 77.208.16.67.in-addr.arpa udp
US 8.8.8.8:53 24.163.91.190.in-addr.arpa udp
US 8.8.8.8:53 5.81.229.157.in-addr.arpa udp
US 8.8.8.8:53 104.185.27.60.in-addr.arpa udp
US 8.8.8.8:53 7.137.35.137.in-addr.arpa udp
US 8.8.8.8:53 230.156.171.52.in-addr.arpa udp
US 8.8.8.8:53 131.130.90.165.in-addr.arpa udp
US 8.8.8.8:53 183.36.20.8.in-addr.arpa udp
US 8.8.8.8:53 174.238.250.177.in-addr.arpa udp
US 8.8.8.8:53 168.221.1.233.in-addr.arpa udp
US 8.8.8.8:53 20.185.19.50.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 126.99.128.70.in-addr.arpa udp
US 8.8.8.8:53 234.99.61.193.in-addr.arpa udp
US 8.8.8.8:53 93.2.23.61.in-addr.arpa udp
US 8.8.8.8:53 178.208.152.161.in-addr.arpa udp
US 8.8.8.8:53 9.227.6.242.in-addr.arpa udp
US 8.8.8.8:53 55.115.248.209.in-addr.arpa udp
US 8.8.8.8:53 219.188.92.162.in-addr.arpa udp
US 8.8.8.8:53 129.35.250.28.in-addr.arpa udp
US 8.8.8.8:53 83.60.249.7.in-addr.arpa udp
US 8.8.8.8:53 152.215.194.22.in-addr.arpa udp
US 8.8.8.8:53 12.126.19.55.in-addr.arpa udp
US 8.8.8.8:53 53.108.199.144.in-addr.arpa udp
US 8.8.8.8:53 55.145.85.244.in-addr.arpa udp
US 8.8.8.8:53 25.158.122.222.in-addr.arpa udp
US 8.8.8.8:53 253.153.175.248.in-addr.arpa udp
US 8.8.8.8:53 73.120.151.155.in-addr.arpa udp
US 8.8.8.8:53 171.39.160.16.in-addr.arpa udp
US 8.8.8.8:53 85.51.156.17.in-addr.arpa udp
US 8.8.8.8:53 100.14.79.73.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.173.16.251.in-addr.arpa udp
US 8.8.8.8:53 162.177.116.131.in-addr.arpa udp
US 8.8.8.8:53 24.98.132.62.in-addr.arpa udp
US 8.8.8.8:53 195.130.244.178.in-addr.arpa udp
US 8.8.8.8:53 71.19.66.86.in-addr.arpa udp
US 8.8.8.8:53 92.92.210.27.in-addr.arpa udp
US 8.8.8.8:53 21.170.104.233.in-addr.arpa udp
US 8.8.8.8:53 155.16.161.147.in-addr.arpa udp
US 8.8.8.8:53 197.116.224.77.in-addr.arpa udp
US 8.8.8.8:53 19.62.16.89.in-addr.arpa udp
US 8.8.8.8:53 113.52.146.154.in-addr.arpa udp
US 8.8.8.8:53 40.201.97.216.in-addr.arpa udp
US 8.8.8.8:53 152.78.121.192.in-addr.arpa udp
US 8.8.8.8:53 176.5.45.173.in-addr.arpa udp
US 8.8.8.8:53 104.194.215.215.in-addr.arpa udp
US 8.8.8.8:53 147.44.173.247.in-addr.arpa udp
US 8.8.8.8:53 153.211.229.169.in-addr.arpa udp
US 8.8.8.8:53 46.211.210.177.in-addr.arpa udp
US 8.8.8.8:53 207.171.229.68.in-addr.arpa udp
US 8.8.8.8:53 31.152.64.80.in-addr.arpa udp
US 8.8.8.8:53 109.74.242.4.in-addr.arpa udp
US 8.8.8.8:53 49.164.79.251.in-addr.arpa udp
US 8.8.8.8:53 80.111.172.104.in-addr.arpa udp
US 8.8.8.8:53 123.16.67.219.in-addr.arpa udp
US 8.8.8.8:53 20.190.191.219.in-addr.arpa udp

Files

memory/3496-0-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian action blowjob voyeur feet .avi.exe

MD5 a94e8adfb7a94ae1499be67154083c70
SHA1 6bcd5067ae9196a2a5979b08b0a84346845b2eef
SHA256 f5937acf63a08fd5f32ff093d2b4350a774d7d9132431439851b5c98331736f1
SHA512 c75b5ba2705f3d897eec01b0cc2ce0759c2c435988d9cd0630755212a13439a6d68f236e959dc3d22911d08aa9ebb8419ac10375f57d3a368a08d67ee1b90a82

memory/3164-19-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-186-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3164-187-0x0000000000400000-0x000000000041B000-memory.dmp

memory/648-188-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2944-189-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-191-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-192-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-198-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-208-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-212-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-217-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-221-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-225-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-229-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-233-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-237-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-241-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-245-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3496-249-0x0000000000400000-0x000000000041B000-memory.dmp