Malware Analysis Report

2024-11-13 13:57

Sample ID 240407-ztp8aaef97
Target 5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f
SHA256 5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f
Tags
persistence spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f

Threat Level: Known bad

The file 5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f was found to be: Known bad.

Malicious Activity Summary

persistence spyware stealer upx

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX dump on OEP (original entry point)

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 21:00

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 21:00

Reported

2024-04-07 21:03

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\gay [free] .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\gay full movie (Sarah,Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\handjob lesbian masturbation legs (Kathrin).avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\sperm uncut leather (Anniston).mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\norwegian beast hot (!) .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish kicking public vagina girly (Janette,Sonja).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\System32\DriverStore\Temp\beast porn lesbian titts 40+ (Jenna).rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\sperm hot (!) sweet .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\porn bukkake public shower .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\chinese action lesbian ash .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\lesbian animal uncut titts (Christine).avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\blowjob handjob big legs balls .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\xxx handjob lesbian shoes (Sylvia,Kathrin).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Google\Temp\german lesbian public titts balls .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\black blowjob gay sleeping boots (Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files\dotnet\shared\norwegian trambling fetish hidden bedroom .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\fetish fucking uncut .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\norwegian porn big black hairunshaved .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\hardcore [milf] hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\african bukkake handjob catfight shoes .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\blowjob bukkake voyeur bondage .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\black action trambling [milf] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\danish beastiality masturbation bedroom .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\british kicking sperm [bangbus] glans (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\porn horse licking ΋ .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\danish gang bang hidden .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\canadian hardcore sperm lesbian .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\action big black hairunshaved .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\xxx fucking girls .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\kicking big .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\malaysia cum cumshot public (Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_ef0e010d1381269b\spanish horse sperm hot (!) ash (Christine).avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_10.0.19041.1_none_4ac6500cab2b2113\asian blowjob hidden feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\fucking porn hot (!) ash .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\gay lingerie full movie .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\malaysia bukkake trambling public vagina .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\italian fucking fucking [milf] titts bedroom (Liz,Sarah).mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\danish beast lesbian girls .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\malaysia kicking licking .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\norwegian horse [milf] titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\chinese porn sperm hot (!) penetration .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\InputMethod\SHARED\tyrkish blowjob uncut sm .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\indian fetish lingerie catfight vagina .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\bukkake [bangbus] .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\tyrkish nude gang bang masturbation high heels (Sonja).rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\PLA\Templates\blowjob full movie vagina 40+ .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\indian sperm cum [milf] upskirt .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\action catfight mistress (Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\norwegian nude handjob masturbation .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\CbsTemp\gang bang lesbian [bangbus] penetration .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\russian fetish voyeur ash high heels .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\horse lesbian leather (Sylvia,Britney).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\french fetish porn [bangbus] traffic .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\horse lesbian sweet .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\cumshot big .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\porn gang bang [bangbus] redhair .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\swedish bukkake cum uncut mature .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\swedish handjob blowjob [bangbus] sweet .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\sperm voyeur nipples (Anniston,Sonja).rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\russian handjob beast [free] penetration .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\fetish animal catfight hotel (Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\cumshot [milf] ash boots .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\american hardcore xxx big mistress (Tatjana,Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\russian cum catfight 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\beastiality horse several models (Anniston,Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\lesbian public (Sylvia,Sonja).mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\gay masturbation .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\american lingerie gang bang [milf] feet (Christine,Anniston).avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\british bukkake lesbian .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\norwegian horse [free] ash mistress .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\brasilian blowjob uncut .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\nude horse hot (!) girly .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\russian kicking fucking sleeping granny .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\sperm masturbation ash redhair .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_ca03036af4a5017e\beast [milf] traffic (Ashley).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\horse uncut .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\porn animal voyeur gorgeoushorny (Jenna,Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\gay gay girls penetration (Britney,Sandy).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\canadian hardcore fetish public .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\asian beast hot (!) sweet (Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\spanish horse kicking masturbation (Ashley,Kathrin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\british sperm voyeur mature (Sylvia,Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\swedish kicking porn girls mistress .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\british cum sleeping titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\Downloaded Program Files\animal hot (!) hole .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\african lesbian gang bang sleeping .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\asian gay public beautyfull .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\malaysia hardcore lingerie girls mistress .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\lingerie voyeur vagina balls (Samantha,Anniston).rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_21122d7205c6f5b9\asian lingerie horse hot (!) (Sonja,Sandy).mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\animal [bangbus] ash lady (Sonja,Sonja).mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\chinese xxx [free] feet .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\gay kicking public (Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\spanish beastiality horse hidden vagina young .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 1612 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 1612 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 1612 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 1612 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 1612 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 5016 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 5016 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 5016 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe

"C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe"

C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe

"C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe"

C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe

"C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe"

C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe

"C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 104.44.110.253.in-addr.arpa udp
US 8.8.8.8:53 176.140.97.13.in-addr.arpa udp
US 8.8.8.8:53 179.118.63.168.in-addr.arpa udp
US 8.8.8.8:53 237.115.56.127.in-addr.arpa udp
US 8.8.8.8:53 53.25.184.124.in-addr.arpa udp
US 8.8.8.8:53 105.180.238.102.in-addr.arpa udp
US 8.8.8.8:53 60.6.170.210.in-addr.arpa udp
US 8.8.8.8:53 129.163.14.183.in-addr.arpa udp
US 8.8.8.8:53 246.201.181.195.in-addr.arpa udp
US 8.8.8.8:53 24.94.97.167.in-addr.arpa udp
US 8.8.8.8:53 238.255.219.6.in-addr.arpa udp
US 8.8.8.8:53 118.4.94.184.in-addr.arpa udp
US 8.8.8.8:53 251.213.133.156.in-addr.arpa udp
US 8.8.8.8:53 70.88.20.115.in-addr.arpa udp
US 8.8.8.8:53 69.80.87.206.in-addr.arpa udp
US 8.8.8.8:53 99.122.66.205.in-addr.arpa udp
US 8.8.8.8:53 124.77.109.54.in-addr.arpa udp
US 8.8.8.8:53 40.162.250.184.in-addr.arpa udp
US 8.8.8.8:53 56.18.229.187.in-addr.arpa udp
US 8.8.8.8:53 69.134.27.109.in-addr.arpa udp
US 8.8.8.8:53 62.177.91.10.in-addr.arpa udp
US 8.8.8.8:53 51.127.237.61.in-addr.arpa udp
US 8.8.8.8:53 107.35.73.217.in-addr.arpa udp
US 8.8.8.8:53 91.175.170.135.in-addr.arpa udp
US 8.8.8.8:53 139.181.42.30.in-addr.arpa udp
US 8.8.8.8:53 146.249.236.252.in-addr.arpa udp
US 8.8.8.8:53 142.86.1.112.in-addr.arpa udp
US 8.8.8.8:53 175.129.132.98.in-addr.arpa udp
US 8.8.8.8:53 158.210.189.93.in-addr.arpa udp
US 8.8.8.8:53 155.19.204.23.in-addr.arpa udp
US 8.8.8.8:53 109.15.151.157.in-addr.arpa udp
US 8.8.8.8:53 75.189.124.133.in-addr.arpa udp
US 8.8.8.8:53 253.193.130.198.in-addr.arpa udp
US 8.8.8.8:53 73.179.49.25.in-addr.arpa udp
US 8.8.8.8:53 201.98.82.87.in-addr.arpa udp
US 8.8.8.8:53 191.236.133.148.in-addr.arpa udp
US 8.8.8.8:53 224.206.6.108.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 69.47.191.111.in-addr.arpa udp
US 8.8.8.8:53 96.133.171.160.in-addr.arpa udp
US 8.8.8.8:53 157.80.86.199.in-addr.arpa udp
US 8.8.8.8:53 251.228.221.90.in-addr.arpa udp
US 8.8.8.8:53 156.112.103.74.in-addr.arpa udp
US 8.8.8.8:53 201.143.51.10.in-addr.arpa udp
US 8.8.8.8:53 24.213.130.92.in-addr.arpa udp
US 8.8.8.8:53 41.233.175.216.in-addr.arpa udp
US 8.8.8.8:53 99.25.111.178.in-addr.arpa udp
US 8.8.8.8:53 244.145.67.61.in-addr.arpa udp
US 8.8.8.8:53 74.133.78.159.in-addr.arpa udp
US 8.8.8.8:53 85.150.139.94.in-addr.arpa udp
US 8.8.8.8:53 197.38.108.1.in-addr.arpa udp
US 8.8.8.8:53 241.175.77.49.in-addr.arpa udp
US 8.8.8.8:53 191.240.130.163.in-addr.arpa udp
US 8.8.8.8:53 172.170.45.182.in-addr.arpa udp
US 8.8.8.8:53 156.36.110.232.in-addr.arpa udp
US 8.8.8.8:53 46.39.68.238.in-addr.arpa udp
US 8.8.8.8:53 156.7.91.168.in-addr.arpa udp
US 8.8.8.8:53 155.114.32.44.in-addr.arpa udp
US 8.8.8.8:53 184.148.169.180.in-addr.arpa udp
US 8.8.8.8:53 128.100.53.228.in-addr.arpa udp
US 8.8.8.8:53 213.176.249.56.in-addr.arpa udp
US 8.8.8.8:53 68.235.163.73.in-addr.arpa udp
US 8.8.8.8:53 50.255.141.244.in-addr.arpa udp
US 8.8.8.8:53 252.135.203.57.in-addr.arpa udp
US 8.8.8.8:53 19.21.248.122.in-addr.arpa udp
US 8.8.8.8:53 174.249.18.245.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1612-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\fetish fucking uncut .rar.exe

MD5 433a0376a024fdf8b35256c0f9164414
SHA1 d1d45f79ab09cdb434087498c211e84383313464
SHA256 20a5d73b695d189c9dcd55a2ddcc313e4f072fd060d8f8f6c953034ab326263e
SHA512 966d60a3597c2b3d1ef4a5ecebda8a2ab1fe9b29c37d5d9c81266c4d17bf98d7629dac37c9e2db2529d85e6c8f111659b7883aab13db053829d745cfb5d24bc7

memory/5016-68-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3496-166-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2104-167-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 21:00

Reported

2024-04-07 21:03

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\IME\shared\hardcore masturbation bondage (Gina,Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\lingerie big hotel .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\brasilian gang bang beast girls bedroom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\System32\DriverStore\Temp\porn blowjob masturbation (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian action gay hidden feet \× (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\fetish gay uncut hole granny (Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\brasilian kicking trambling sleeping (Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\danish animal fucking uncut leather .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\IME\shared\bukkake big YEâPSè& .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\swedish gang bang horse [free] (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Journal\Templates\gay full movie cock (Sandy,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\lesbian licking feet .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\danish horse sperm hidden cock redhair .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\tyrkish cumshot sperm [free] glans sm (Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\blowjob licking cock .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\danish nude fucking [milf] girly .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\brasilian action fucking several models titts .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files\DVD Maker\Shared\xxx public bondage .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\danish gang bang horse hot (!) hole 40+ .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Google\Temp\italian animal hardcore hidden black hairunshaved .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\russian kicking trambling public feet (Kathrin,Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\italian nude horse lesbian cock mature (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\horse big swallow (Sandy,Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\lingerie [milf] glans 50+ .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\tyrkish fetish lingerie several models leather (Sonja,Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\brasilian action gay catfight 40+ (Britney,Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\swedish kicking sperm sleeping .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\lesbian hidden high heels .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\british gay hot (!) sweet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\horse lingerie sleeping .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\trambling uncut .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\assembly\tmp\fucking several models hole traffic .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\chinese beast [free] stockings (Britney,Tatjana).mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\nude beast [bangbus] glans wifey .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\american nude beast several models cock girly (Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\norwegian trambling [free] young .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\danish horse gay big titts sweet .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\nude fucking girls feet YEâPSè& .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\japanese kicking xxx sleeping .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\indian handjob gay public titts upskirt (Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\norwegian hardcore masturbation (Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\InstallTemp\norwegian gay big leather .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\tyrkish cum sperm sleeping (Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\blowjob full movie feet granny .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\lingerie licking .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\chinese lesbian [bangbus] hole mature .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\Temp\swedish animal xxx voyeur castration .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\horse girls titts fishy .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\italian beastiality hardcore hot (!) stockings (Sandy,Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\fetish bukkake girls sm .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\russian action blowjob voyeur hole .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\horse beast [milf] (Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\lesbian [milf] upskirt .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_34400a5790d1d336\african blowjob girls cock mature (Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\canadian sperm lesbian feet (Sonja,Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\danish handjob lingerie voyeur high heels .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\african lingerie licking .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\fucking [milf] titts (Sonja,Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\action lingerie voyeur cock penetration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\italian nude blowjob hot (!) feet granny .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\bukkake several models (Janette).mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\lingerie lesbian feet wifey (Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\beastiality xxx sleeping .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\black fetish beast big cock ejaculation (Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\SoftwareDistribution\Download\brasilian animal lesbian uncut (Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\animal xxx big glans fishy (Tatjana).mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\asian hardcore [milf] hole gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\handjob bukkake hidden sweet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\lingerie girls feet YEâPSè& (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\british beast [free] (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\spanish fucking several models glans wifey .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\animal beast catfight feet sweet .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\british horse full movie (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\tyrkish kicking xxx full movie 50+ .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\horse hot (!) cock bedroom .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\security\templates\indian cumshot gay catfight ejaculation (Kathrin,Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\sperm uncut titts .rar.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\german lingerie lesbian glans 40+ (Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\malaysia xxx catfight titts (Anniston,Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\asian lesbian hidden .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\xxx catfight femdom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\xxx [free] hole mistress (Janette).mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\asian beast voyeur .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\american fetish bukkake girls swallow .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\japanese handjob bukkake sleeping glans .mpg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\canadian bukkake [bangbus] glans sm .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\chinese lingerie big glans .avi.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\swedish nude lingerie masturbation upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\spanish hardcore [bangbus] cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 2440 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 2440 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 2440 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 2384 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 2384 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 2384 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe
PID 2384 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe

"C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe"

C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe

"C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe"

C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe

"C:\Users\Admin\AppData\Local\Temp\5033d1df1c982605614f3b8389af39a9c541444a192af4eaa37413f9d1b6042f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 224.116.204.101.in-addr.arpa udp
US 8.8.8.8:53 183.103.175.35.in-addr.arpa udp
US 8.8.8.8:53 25.44.221.176.in-addr.arpa udp
US 8.8.8.8:53 14.10.164.167.in-addr.arpa udp
US 8.8.8.8:53 186.89.89.41.in-addr.arpa udp
US 8.8.8.8:53 44.221.239.238.in-addr.arpa udp
US 8.8.8.8:53 196.177.246.80.in-addr.arpa udp
US 8.8.8.8:53 95.112.195.154.in-addr.arpa udp
US 8.8.8.8:53 55.159.78.197.in-addr.arpa udp
US 8.8.8.8:53 9.73.154.151.in-addr.arpa udp
US 8.8.8.8:53 83.236.148.9.in-addr.arpa udp
US 8.8.8.8:53 169.17.40.12.in-addr.arpa udp
US 8.8.8.8:53 188.235.245.118.in-addr.arpa udp
US 8.8.8.8:53 115.28.161.197.in-addr.arpa udp
US 8.8.8.8:53 154.23.30.97.in-addr.arpa udp
US 8.8.8.8:53 15.194.232.158.in-addr.arpa udp
US 8.8.8.8:53 185.35.166.236.in-addr.arpa udp
US 8.8.8.8:53 155.105.187.175.in-addr.arpa udp
US 8.8.8.8:53 32.152.35.32.in-addr.arpa udp
US 8.8.8.8:53 179.147.77.245.in-addr.arpa udp
US 8.8.8.8:53 27.59.55.62.in-addr.arpa udp
US 8.8.8.8:53 240.41.74.215.in-addr.arpa udp
US 8.8.8.8:53 57.100.213.89.in-addr.arpa udp
US 8.8.8.8:53 73.133.214.79.in-addr.arpa udp
US 8.8.8.8:53 148.99.103.251.in-addr.arpa udp
US 8.8.8.8:53 208.126.162.146.in-addr.arpa udp
US 8.8.8.8:53 74.45.186.187.in-addr.arpa udp
US 8.8.8.8:53 129.12.190.165.in-addr.arpa udp

Files

memory/2440-0-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\italian nude horse lesbian cock mature (Sylvia).zip.exe

MD5 9ba06b144b9c29e2a2ae21b6ff18c9e3
SHA1 2712d03805c40cad105fcf7ae49e7da50668933c
SHA256 39a45b488ba526dcdf95392ee95c8b74ad1fa5cb94a13fde7f257200685605e8
SHA512 01cfbffd7532b1d743c5794a5a336118fb7ac3b9b489f3497a945110701fad65065c670e704a10b57473ca962429c76da4a3767e14bb7e35804c5c0821e4dce4

memory/2440-65-0x0000000006280000-0x00000000062A9000-memory.dmp

memory/2384-66-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2340-88-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2384-87-0x0000000004CE0000-0x0000000004D09000-memory.dmp

C:\debug.txt

MD5 adb4ec445493170b4c3df3ebcea38615
SHA1 d2363617d826118ec5b22474db73a1c4ea206f49
SHA256 8913e3349f1d0ca679027f454328cd83d88c45a3fe58f30013a54a9f4f71e14e
SHA512 c33020799c5ab5c70941ea82ead181ca04746b360b1ec2982be57819481ca5e28cce6bb2ca3db19d663e0563ee14612ac5940f9a761e137c3011da41befcf8d9