Malware Analysis Report

2024-11-30 04:06

Sample ID 240408-bbr26abh2y
Target be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2
SHA256 be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2

Threat Level: Known bad

The file be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2 was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX dump on OEP (original entry point)

Checks computer location settings

UPX packed file

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 00:58

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 00:58

Reported

2024-04-08 01:01

Platform

win7-20240221-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\FxsTmp\lesbian [free] leather .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\russian gang bang horse sleeping feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\black fetish xxx [free] boots (Sonja,Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\System32\DriverStore\Temp\hardcore big titts .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\bukkake [bangbus] hole .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian kicking hardcore hot (!) .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\swedish cum sperm hot (!) feet .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\IME\shared\beast lesbian .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\japanese beastiality gay [bangbus] cock latex .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\IME\shared\xxx voyeur titts .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\japanese kicking horse big traffic .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\blowjob [milf] cock mistress (Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files\Windows Journal\Templates\italian nude lesbian hidden titts .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\tyrkish nude trambling uncut castration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\horse catfight .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\danish animal sperm masturbation (Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\japanese action horse licking cock .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Google\Temp\brasilian fetish beast hot (!) lady .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\blowjob licking hole girly (Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\japanese fetish horse hidden .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\swedish handjob sperm public lady (Britney,Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\japanese animal hardcore catfight beautyfull .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\tyrkish porn hardcore [milf] hole traffic (Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files\DVD Maker\Shared\american kicking fucking masturbation .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\trambling sleeping hotel .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\black beastiality sperm [bangbus] sm .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\canadian lesbian public cock .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\danish action blowjob uncut titts .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\assembly\tmp\lesbian licking feet (Ashley,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\nude xxx lesbian feet castration .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\beastiality trambling catfight hole .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\american action xxx voyeur .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\horse xxx big granny .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\canadian lesbian hidden (Karin).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\cumshot trambling girls femdom .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\african lesbian lesbian 50+ (Anniston,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\asian lingerie voyeur cock (Sandy,Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\sperm several models YEâPSè& (Gina,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\american handjob fucking voyeur .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\nude lingerie masturbation blondie (Sonja,Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\chinese gay lesbian cock (Sonja,Sarah).zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\british trambling girls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\norwegian blowjob uncut fishy (Sonja,Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\beast catfight cock femdom .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\tyrkish nude lingerie sleeping leather .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\sperm catfight mature .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\brasilian cum gay several models cock ash .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\nude gay hot (!) shoes .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\tyrkish handjob lesbian lesbian (Karin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\fetish lingerie girls fishy .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\horse girls cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\indian horse blowjob hot (!) .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\malaysia sperm [bangbus] ejaculation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\chinese fucking [milf] 50+ .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\asian xxx full movie YEâPSè& (Sonja,Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\british hardcore sleeping cock sm .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\hardcore several models feet fishy (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\american kicking gay licking hairy .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\asian blowjob hidden titts (Ashley,Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\animal horse masturbation mature .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\security\templates\japanese beastiality sperm lesbian bedroom .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SoftwareDistribution\Download\hardcore lesbian glans shoes .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\spanish lingerie catfight titts ìï (Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\russian beastiality trambling hot (!) cock .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\xxx hidden (Janette).mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\PLA\Templates\black gang bang sperm [free] black hairunshaved (Sandy,Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\canadian horse girls titts latex (Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\canadian xxx [bangbus] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\malaysia fucking masturbation titts femdom .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\Downloaded Program Files\danish beastiality hardcore [milf] ô (Gina,Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\xxx voyeur feet .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\kicking gay full movie femdom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\british trambling girls .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\norwegian sperm uncut hole fishy .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\animal lesbian sleeping (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\beast hot (!) titts mature .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\russian animal trambling licking titts redhair (Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\action beast hidden blondie .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\indian kicking blowjob lesbian high heels .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\fetish fucking licking .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\blowjob masturbation cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\fucking voyeur hole .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\indian horse lesbian [bangbus] black hairunshaved .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\malaysia bukkake licking titts bondage .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\spanish fucking sleeping wifey (Britney,Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\horse sleeping circumcision .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\handjob horse [free] cock .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\german gay public (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\british beast hidden high heels .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 1736 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 1736 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 1736 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 2536 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 2536 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 2536 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 2536 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe

"C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe"

C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe

"C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe"

C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe

"C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 168.26.84.155.in-addr.arpa udp
US 8.8.8.8:53 188.199.49.12.in-addr.arpa udp
US 8.8.8.8:53 172.133.158.156.in-addr.arpa udp
US 8.8.8.8:53 113.103.4.205.in-addr.arpa udp
US 8.8.8.8:53 167.232.228.30.in-addr.arpa udp
US 8.8.8.8:53 205.19.70.57.in-addr.arpa udp
US 8.8.8.8:53 64.170.50.247.in-addr.arpa udp
US 8.8.8.8:53 183.144.175.134.in-addr.arpa udp
US 8.8.8.8:53 42.31.253.208.in-addr.arpa udp
US 8.8.8.8:53 42.157.145.56.in-addr.arpa udp
US 8.8.8.8:53 61.83.46.159.in-addr.arpa udp
US 8.8.8.8:53 156.174.235.228.in-addr.arpa udp
US 8.8.8.8:53 109.68.244.42.in-addr.arpa udp
US 8.8.8.8:53 50.75.56.86.in-addr.arpa udp
US 8.8.8.8:53 243.13.158.175.in-addr.arpa udp
US 8.8.8.8:53 90.91.252.147.in-addr.arpa udp
US 8.8.8.8:53 60.175.69.103.in-addr.arpa udp
US 8.8.8.8:53 72.247.8.254.in-addr.arpa udp
US 8.8.8.8:53 29.140.3.28.in-addr.arpa udp
US 8.8.8.8:53 143.161.163.42.in-addr.arpa udp
US 8.8.8.8:53 114.92.225.190.in-addr.arpa udp
US 8.8.8.8:53 70.235.103.56.in-addr.arpa udp

Files

memory/1736-0-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\danish animal sperm masturbation (Karin).mpg.exe

MD5 5539ab50c2a4b87391f06d43c1974211
SHA1 a22dfe7c50388d4bf6112700605bea2a240dbc2d
SHA256 68f8b3b6db877d9e7f9ddb414e0dab120a6011a0b136d97a89a5b151dd77abab
SHA512 b3ab7a4829c6bbd15273e612ddfa03fdb7f7c41d5e35cb0550ddc16410cc71a834bbb0e9e790c570dca96da8a5bbc2244c483630329a207ed147205ae20eee05

memory/1736-22-0x00000000046F0000-0x000000000470C000-memory.dmp

memory/2536-23-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2420-66-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2536-65-0x00000000047C0000-0x00000000047DC000-memory.dmp

memory/1736-90-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2536-91-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-94-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-96-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-98-0x0000000000400000-0x000000000041C000-memory.dmp

C:\debug.txt

MD5 976de8fdae5e43bd4921f74c5580829c
SHA1 a12dcbe181ec446977ad3960210712dd4880ad26
SHA256 5c63063b1ff3558647cf349ce7a9c8c087617ea5b8f0f38befbe948e3c10b825
SHA512 632a7b8fd29888e578fba834b1f407a74a2f3c15c7b9ea482de9eb09c359684174b2d712a22b079cc59edbcd0738055e51b1f9489510274856d6e322bbd947c1

memory/1736-111-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-114-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-117-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-120-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-123-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-128-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-131-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-134-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-137-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-140-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1736-143-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 00:58

Reported

2024-04-08 01:01

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\indian cum gay big cock (Britney,Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\russian beastiality beast masturbation black hairunshaved (Britney,Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\danish fetish hardcore hidden glans femdom (Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\italian gang bang hardcore full movie .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\bukkake big .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\danish kicking blowjob public blondie (Anniston,Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\System32\DriverStore\Temp\fucking hot (!) (Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\animal horse [bangbus] hole granny .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\fucking sleeping bondage .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\black kicking gay [bangbus] .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\hardcore [bangbus] feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\russian cum gay catfight shower .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\gay sleeping feet shower .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\lesbian [bangbus] glans upskirt .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\russian cum beast lesbian feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\lingerie catfight (Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\japanese beastiality lingerie licking glans blondie .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files\dotnet\shared\bukkake hidden high heels .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\bukkake [free] granny .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian porn bukkake uncut cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Google\Temp\black cum beast girls bondage .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files\Common Files\microsoft shared\brasilian horse hardcore masturbation 50+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\japanese nude lingerie hidden cock pregnant .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\trambling lesbian (Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\japanese horse hardcore girls 40+ .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\american action trambling catfight (Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\cum lingerie [bangbus] (Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\swedish beastiality blowjob [bangbus] feet pregnant .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\bukkake lesbian cock femdom .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\handjob lesbian full movie feet hotel (Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\british gay [free] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\fucking public titts gorgeoushorny .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\indian porn trambling big 40+ (Britney,Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\danish cum blowjob [free] titts bondage (Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\beast big gorgeoushorny .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\brasilian nude beast public .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_b1ffa0e7b4ed03e2\chinese fucking hot (!) black hairunshaved .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\black action blowjob voyeur bedroom (Britney,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\fetish blowjob girls circumcision (Sandy,Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\handjob hardcore hidden titts leather .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\japanese handjob gay uncut ¤ç (Sandy,Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\PLA\Templates\action trambling uncut cock (Christine,Tatjana).mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\british xxx sleeping stockings (Christine,Liz).avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\trambling [free] (Tatjana).mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\hardcore big titts gorgeoushorny (Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\swedish action hardcore uncut granny .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\brasilian cum gay full movie fishy .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\german gay full movie hole ash (Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\italian gang bang fucking catfight granny .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\fucking sleeping (Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\blowjob sleeping glans .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\french gay public ejaculation .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\german bukkake full movie .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\japanese cum lingerie voyeur granny .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\french lingerie uncut glans shoes .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\lingerie girls cock .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\danish fetish beast sleeping YEâPSè& (Sonja,Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\brasilian horse gay [milf] (Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\african lingerie girls titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\horse [bangbus] cock .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\japanese animal beast voyeur shoes .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\chinese sperm sleeping titts hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\porn blowjob lesbian fishy .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\spanish sperm big .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\kicking sperm [milf] feet latex (Curtney).avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\lesbian [free] glans .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\gay several models circumcision (Kathrin,Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\fetish horse uncut titts black hairunshaved (Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\blowjob licking .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\canadian bukkake sleeping shower .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\russian kicking blowjob lesbian hairy .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\action trambling uncut (Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_6c85d64de79e0985\asian xxx hot (!) blondie .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\african beast hidden hole .rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\hardcore several models girly .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_9aa486d790131d4e\beast hot (!) titts sm (Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\porn hardcore masturbation cock girly (Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\spanish beast hot (!) (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\fucking hot (!) cock ash .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\russian fetish hardcore [milf] granny .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\horse fucking [milf] .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\russian horse horse big .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\swedish cum xxx hidden gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\InstallTemp\asian blowjob [free] glans .avi.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_c049dbdb4e15bdd2\german hardcore uncut titts black hairunshaved .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_7d9dab4e456449b1\swedish cum sperm public traffic .mpg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\black nude trambling big feet pregnant (Karin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\assembly\tmp\bukkake uncut titts black hairunshaved (Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\spanish lingerie uncut glans .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\brasilian kicking xxx [bangbus] .zip.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\Temp\gang bang lesbian voyeur titts wifey (Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\japanese animal sperm hidden .mpeg.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\blowjob lesbian titts hairy (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2724 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 2724 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 2724 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 2724 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 2724 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 2724 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 5044 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 5044 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe
PID 5044 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe

"C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe"

C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe

"C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe"

C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe

"C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe"

C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe

"C:\Users\Admin\AppData\Local\Temp\be511bc613dfbbead81a0d50bc58a28654f760a186c4372a2afd73130b565cb2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 197.222.247.135.in-addr.arpa udp
US 8.8.8.8:53 190.131.135.173.in-addr.arpa udp
US 8.8.8.8:53 53.128.239.13.in-addr.arpa udp
US 8.8.8.8:53 211.29.132.101.in-addr.arpa udp
US 8.8.8.8:53 47.81.74.129.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 97.127.12.112.in-addr.arpa udp
US 8.8.8.8:53 37.191.235.77.in-addr.arpa udp
US 8.8.8.8:53 48.69.169.142.in-addr.arpa udp
US 8.8.8.8:53 61.56.39.97.in-addr.arpa udp
US 8.8.8.8:53 84.175.36.95.in-addr.arpa udp
US 8.8.8.8:53 57.93.1.18.in-addr.arpa udp
US 8.8.8.8:53 136.26.224.175.in-addr.arpa udp
US 8.8.8.8:53 123.141.185.215.in-addr.arpa udp
US 8.8.8.8:53 246.101.57.43.in-addr.arpa udp
US 8.8.8.8:53 125.63.43.73.in-addr.arpa udp
US 8.8.8.8:53 83.99.3.30.in-addr.arpa udp
US 8.8.8.8:53 239.123.46.230.in-addr.arpa udp
US 8.8.8.8:53 158.194.207.124.in-addr.arpa udp
US 8.8.8.8:53 191.199.70.144.in-addr.arpa udp
US 8.8.8.8:53 237.121.181.122.in-addr.arpa udp
US 8.8.8.8:53 212.196.201.68.in-addr.arpa udp
US 8.8.8.8:53 123.51.57.132.in-addr.arpa udp
US 8.8.8.8:53 183.220.194.194.in-addr.arpa udp
US 8.8.8.8:53 149.170.154.200.in-addr.arpa udp
US 8.8.8.8:53 129.61.136.77.in-addr.arpa udp
US 8.8.8.8:53 127.162.99.161.in-addr.arpa udp
US 8.8.8.8:53 92.44.121.58.in-addr.arpa udp
US 8.8.8.8:53 199.70.8.125.in-addr.arpa udp
US 8.8.8.8:53 241.45.57.129.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 80.62.80.174.in-addr.arpa udp

Files

memory/2724-0-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\brasilian porn bukkake uncut cock .mpg.exe

MD5 32f583ee867446045c87992c8db5d62c
SHA1 c6e17da7b66e3b6b454013040317c4ecd1db1def
SHA256 cba55736c2d72f20097493e8fa409f7e7d619329bff932c092c1090b1b580bc0
SHA512 b5308a877d1555837c65e2034ecaa09c85ea3c9d449951d3006ee1edb7a0010356796ed20cf4914441b02cd48dc689a60e127acfe71b0fa60a1762e183c6ad56

memory/2724-147-0x0000000000400000-0x000000000041C000-memory.dmp

memory/5044-165-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1460-183-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4524-184-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2724-185-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2724-186-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2724-190-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2724-200-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2724-205-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2724-209-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2724-215-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2724-225-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2724-229-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2724-233-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2724-237-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2724-241-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2724-246-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2724-250-0x0000000000400000-0x000000000041C000-memory.dmp