Malware Analysis Report

2024-11-30 04:10

Sample ID 240408-bkcc3acc2y
Target c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523
SHA256 c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523
Tags
persistence spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523

Threat Level: Known bad

The file c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523 was found to be: Known bad.

Malicious Activity Summary

persistence spyware stealer upx

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX dump on OEP (original entry point)

Reads user/profile data of web browsers

Checks computer location settings

UPX packed file

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 01:11

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 01:11

Reported

2024-04-08 01:14

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\handjob full movie (Jade).mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\trambling cum licking (Gina).zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\horse kicking lesbian girly .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\fetish bukkake uncut cock (Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\horse animal sleeping ash (Sonja,Sonja).rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\black action catfight titts YEâPSè& .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\canadian trambling kicking masturbation latex .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\fetish sleeping sweet (Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\russian lingerie lesbian .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\System32\DriverStore\Temp\beast hot (!) hairy .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\animal big .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\japanese beast gang bang licking (Tatjana,Christine).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\tyrkish nude bukkake [milf] fishy .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\{D3EA2F86-0081-495C-8439-1E64CA71F999}\EDGEMITMP_57EE5.tmp\porn horse full movie wifey .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Google\Temp\horse licking Ôï .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\german beast xxx [free] bondage .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\kicking hidden glans penetration .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\norwegian beastiality several models .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\african cumshot horse big titts .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\american horse blowjob hot (!) ash traffic (Melissa,Kathrin).rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\swedish horse blowjob hot (!) vagina .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\indian trambling gang bang full movie ash femdom .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\gay blowjob big leather .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\tyrkish beastiality sleeping boobs boots .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\porn [milf] fishy .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\german hardcore nude lesbian .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\american beastiality lesbian penetration .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files\Common Files\microsoft shared\brasilian fucking action hot (!) .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\chinese cumshot fucking catfight young (Kathrin).zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\gay sperm public (Kathrin,Ashley).mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\trambling trambling hot (!) .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\lingerie bukkake masturbation (Christine).avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\canadian blowjob cumshot [milf] feet Ôï .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\norwegian action action [bangbus] pregnant (Anniston).rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\canadian nude big .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\black gay sleeping (Gina,Ashley).zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\beast sperm masturbation bedroom (Jenna,Jenna).avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\american horse hardcore lesbian ash (Melissa,Gina).rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\indian gang bang hot (!) pregnant (Sandy).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\german bukkake fucking hot (!) lady (Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\trambling bukkake hidden .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_93c5f32b7859ec4f\handjob cum uncut .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\spanish sperm several models .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\beastiality hot (!) glans black hairunshaved .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\porn horse girls vagina .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\templates\french gay fetish sleeping balls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\asian horse girls .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\tyrkish horse voyeur blondie .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\cumshot animal girls (Jade,Britney).avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\brasilian gay animal uncut .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\porn trambling masturbation .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\italian hardcore sperm voyeur (Jade,Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\InputMethod\SHARED\asian bukkake several models hole shower (Jade,Jenna).avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\black sperm hardcore masturbation ash traffic .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\russian beastiality horse licking .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\chinese hardcore several models .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\italian gang bang horse lesbian .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_231ddfc33015c6db\french handjob [milf] leather .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\xxx fetish big (Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\canadian handjob several models cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_6c6bd34f082a97f1\chinese blowjob handjob girls sm .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_72a319bf8ee74a9b\norwegian cum [bangbus] .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\japanese action catfight .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\danish lingerie [milf] .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\beastiality licking nipples (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\japanese horse horse [milf] ejaculation .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\beastiality lingerie masturbation .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\swedish fucking [free] boots .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\swedish lesbian [milf] (Kathrin).rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\xxx bukkake catfight gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\italian blowjob girls 50+ .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\spanish gang bang fucking voyeur boobs circumcision .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\lesbian hot (!) sweet .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\russian fucking fetish public shower .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\blowjob animal public .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\african beast [bangbus] ash .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\nude beastiality licking .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\fucking horse lesbian granny .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\blowjob catfight .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\canadian lesbian gang bang public feet pregnant (Jade,Christine).mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\PLA\Templates\asian cum girls Ôï .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\gay xxx voyeur feet (Melissa,Sonja).mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\german gang bang lesbian masturbation .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_34e3bab50607a64b\cum [milf] boots (Melissa,Gina).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\security\templates\spanish horse full movie traffic (Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\gang bang full movie nipples shoes .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_10.0.19041.1_none_91025638be651781\beastiality catfight YEâPSè& .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\fucking masturbation mistress .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\black sperm sleeping castration .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\african handjob hidden legs granny .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\danish beastiality animal several models legs black hairunshaved (Gina).rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\hardcore hardcore [free] (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\american animal xxx lesbian nipples YEâPSè& .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\spanish horse [milf] vagina upskirt .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_215194e2327a46ac\sperm beast catfight bedroom .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4572 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 4572 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 4572 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 4572 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 4572 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 4572 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 2084 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 2084 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 2084 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe

"C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe"

C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe

"C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe"

C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe

"C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe"

C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe

"C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1392 --field-trial-handle=2844,i,5640589924128028832,7963280732661142908,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 250.192.214.48.in-addr.arpa udp
US 8.8.8.8:53 55.234.121.100.in-addr.arpa udp
US 8.8.8.8:53 87.210.158.117.in-addr.arpa udp
US 8.8.8.8:53 138.169.243.183.in-addr.arpa udp
US 8.8.8.8:53 77.156.147.17.in-addr.arpa udp
US 8.8.8.8:53 96.221.109.11.in-addr.arpa udp
US 8.8.8.8:53 106.17.38.91.in-addr.arpa udp
US 8.8.8.8:53 250.93.113.29.in-addr.arpa udp
US 8.8.8.8:53 207.240.149.146.in-addr.arpa udp
US 8.8.8.8:53 51.115.142.36.in-addr.arpa udp
US 8.8.8.8:53 150.47.6.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 48.135.97.145.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 246.52.238.244.in-addr.arpa udp
US 8.8.8.8:53 4.128.245.206.in-addr.arpa udp
US 8.8.8.8:53 27.95.183.99.in-addr.arpa udp
US 8.8.8.8:53 108.65.69.112.in-addr.arpa udp
US 8.8.8.8:53 154.119.134.254.in-addr.arpa udp
US 8.8.8.8:53 47.196.17.33.in-addr.arpa udp
US 8.8.8.8:53 197.149.85.232.in-addr.arpa udp
US 8.8.8.8:53 217.208.156.37.in-addr.arpa udp
US 8.8.8.8:53 51.228.98.68.in-addr.arpa udp
US 8.8.8.8:53 20.88.119.189.in-addr.arpa udp
US 8.8.8.8:53 178.64.17.164.in-addr.arpa udp
US 8.8.8.8:53 59.94.105.98.in-addr.arpa udp
US 8.8.8.8:53 93.77.18.77.in-addr.arpa udp
US 8.8.8.8:53 175.26.20.194.in-addr.arpa udp
US 8.8.8.8:53 245.110.101.50.in-addr.arpa udp
US 8.8.8.8:53 52.35.72.88.in-addr.arpa udp
US 8.8.8.8:53 123.178.180.50.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 118.19.3.8.in-addr.arpa udp
US 8.8.8.8:53 163.102.203.67.in-addr.arpa udp

Files

memory/4572-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\gay blowjob big leather .avi.exe

MD5 1e3da10c6d5f18a1a23f3b2d494782db
SHA1 c10825d72f4e74cd2cc7ff35b801b2ed3e575f88
SHA256 3ed097748381e893a242c0a03642c31438589a879888c07ca08ec4aaeb31d034
SHA512 a6a780c877c91e6eeabc50bdf543b77534676db9634b3f9645daa82ee5c9f03bf15e428a8aee5b2f186c791a55e79dcc9cf19790c1553852b90142ee457a6529

memory/2084-14-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1224-27-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3844-31-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4572-191-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2084-194-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1224-197-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3844-198-0x0000000000400000-0x000000000041F000-memory.dmp

C:\debug.txt

MD5 6039e7cd088207465e02c01cf828a18e
SHA1 01c0b9320b3715d08aea85287197e15696598cb3
SHA256 7e584f07b2b88955a9cd7339d83a8df66e3c0fdc09bd8fa182c2ffaad0f5aba0
SHA512 202b524bf2989f0e69323fee93760776bdbfd25b2f14adf8b16fac24993956b7610a5b93db99327385340519c498cd1d9af2a49a0e753d565e12e87b242a87fb

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 01:11

Reported

2024-04-08 01:14

Platform

win7-20240221-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\horse voyeur (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\System32\DriverStore\Temp\italian handjob sperm voyeur hole .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\IME\shared\tyrkish cumshot trambling sleeping shower (Jenna,Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\japanese beastiality fucking masturbation hole black hairunshaved .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\brasilian nude hardcore [free] girly .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\lesbian [bangbus] (Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\indian gang bang hardcore voyeur redhair (Sandy,Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\horse hidden .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\brasilian nude xxx voyeur cock bondage .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SysWOW64\IME\shared\xxx catfight feet balls .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Temp\japanese fetish sperm girls .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\russian porn fucking lesbian redhair (Christine,Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\american horse gay uncut (Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\hardcore licking upskirt .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\fucking voyeur titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\italian horse blowjob [bangbus] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\swedish kicking horse hot (!) sweet (Christine,Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\hardcore licking glans beautyfull .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\gay [bangbus] wifey .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\black animal trambling masturbation .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\indian beastiality hardcore hidden swallow .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\swedish kicking horse catfight hole leather (Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\brasilian cum sperm lesbian cock .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files\DVD Maker\Shared\russian porn fucking hidden glans .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Program Files\Windows Journal\Templates\indian cum trambling masturbation cock hotel .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\danish action gay catfight sweet .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\spanish lesbian uncut penetration (Anniston,Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_39c9d74ef2ad6c7b\xxx licking feet penetration (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\indian fetish xxx several models (Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\russian action lingerie licking feet ash (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\brasilian fetish blowjob hot (!) high heels (Sandy,Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\SoftwareDistribution\Download\horse hidden ejaculation .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\Temp\swedish fetish lesbian public titts shower (Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_05ea1d9b8e2bf020\asian beast full movie (Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\italian beastiality trambling uncut .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\hardcore uncut .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\hardcore licking feet mature .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\spanish lingerie hidden pregnant (Anniston,Karin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_39374e2435a71b47\indian action sperm sleeping feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\norwegian lingerie [bangbus] cock femdom .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\xxx catfight shoes .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\brasilian fetish trambling uncut .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\danish animal sperm public cock black hairunshaved .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\asian lingerie big .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\spanish gay [free] glans YEâPSè& .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\hardcore several models lady .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\japanese gang bang horse catfight sm .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\kicking lingerie masturbation hole (Gina,Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\InstallTemp\cumshot hardcore hot (!) traffic (Sonja,Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\bukkake full movie hole .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\assembly\temp\brasilian action blowjob [free] hotel (Anniston,Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\kicking bukkake lesbian ash .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\italian animal lingerie [free] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\japanese animal lesbian several models glans young .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\nude gay big glans hairy (Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\xxx girls .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\gang bang lingerie masturbation glans swallow (Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\fucking full movie fishy .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\british lesbian masturbation femdom .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\american kicking hardcore hot (!) cock .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\beast licking glans upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\hardcore uncut wifey .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00f45b041e1e8fd3\chinese beast hot (!) cock bondage .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\cumshot lingerie hot (!) girly .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\indian action lesbian girls redhair .mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\sperm big latex (Anniston,Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\PLA\Templates\swedish cum beast full movie (Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\horse lesbian .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\japanese cumshot sperm lesbian feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\assembly\tmp\american cum fucking [bangbus] hole sm .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian gang bang hardcore uncut femdom .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\norwegian hardcore hidden glans castration (Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\spanish horse girls pregnant .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\italian beastiality gay [free] beautyfull .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_99b74194b7347cab\sperm [bangbus] femdom .zip.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\indian nude lesbian hot (!) (Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\gang bang lesbian masturbation cock 40+ .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\gay hot (!) sweet .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\swedish animal fucking sleeping titts (Britney,Sarah).avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\malaysia sperm voyeur hole pregnant (Tatjana).mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\indian cumshot beast public hole hairy .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\american nude fucking catfight cock swallow .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\canadian sperm lesbian circumcision .rar.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\security\templates\danish nude horse several models black hairunshaved .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\blowjob several models cock shower (Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\norwegian trambling lesbian pregnant .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3863e9ef3f804dd9\brasilian animal bukkake uncut hole .avi.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\asian sperm big hole boots (Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 856 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 856 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 856 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 2580 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 2580 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 2580 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe
PID 2580 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe

"C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe"

C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe

"C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe"

C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe

"C:\Users\Admin\AppData\Local\Temp\c3ada878db15fb6772d6fd023c0b35cfba0daad556e6b91617ec7ca1a1787523.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.109.244.78.in-addr.arpa udp
US 8.8.8.8:53 240.198.168.231.in-addr.arpa udp
US 8.8.8.8:53 48.138.171.102.in-addr.arpa udp
US 8.8.8.8:53 8.179.131.24.in-addr.arpa udp
US 8.8.8.8:53 201.252.195.181.in-addr.arpa udp
US 8.8.8.8:53 225.84.233.9.in-addr.arpa udp
US 8.8.8.8:53 138.121.181.22.in-addr.arpa udp
US 8.8.8.8:53 6.119.7.235.in-addr.arpa udp
US 8.8.8.8:53 183.255.217.19.in-addr.arpa udp
US 8.8.8.8:53 4.125.81.37.in-addr.arpa udp
US 8.8.8.8:53 153.121.195.230.in-addr.arpa udp
US 8.8.8.8:53 83.153.82.41.in-addr.arpa udp
US 8.8.8.8:53 149.119.36.128.in-addr.arpa udp
US 8.8.8.8:53 218.251.112.86.in-addr.arpa udp
US 8.8.8.8:53 13.41.171.228.in-addr.arpa udp
US 8.8.8.8:53 22.243.232.186.in-addr.arpa udp
US 8.8.8.8:53 133.67.203.150.in-addr.arpa udp
US 8.8.8.8:53 186.81.182.121.in-addr.arpa udp
US 8.8.8.8:53 157.52.32.146.in-addr.arpa udp
US 8.8.8.8:53 4.135.148.137.in-addr.arpa udp
US 8.8.8.8:53 48.173.98.215.in-addr.arpa udp
US 8.8.8.8:53 159.219.51.86.in-addr.arpa udp
US 8.8.8.8:53 236.63.186.255.in-addr.arpa udp

Files

memory/856-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\gay [bangbus] wifey .mpeg.exe

MD5 b108a40a36c2fb2b7f449e5d0c904112
SHA1 faa92a831de2441394307f26c61f9f85323786d4
SHA256 b875292cc4f47e0ebf8870b724ee624075a7a98800b5008bdac414d3b1cac878
SHA512 2941aded3596f79882d285f4848d031670e4ade085d527f871ef25eb15c417d19a5ca87f0c44f59c8e2085ab111fb9ebdfae67e4f826402cd1e229263f820758

memory/2580-16-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2580-61-0x0000000001E00000-0x0000000001E1F000-memory.dmp

memory/2496-63-0x0000000000400000-0x000000000041F000-memory.dmp

memory/856-95-0x0000000000400000-0x000000000041F000-memory.dmp

memory/856-98-0x0000000004A80000-0x0000000004A9F000-memory.dmp

memory/2580-99-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2580-100-0x0000000001E00000-0x0000000001E1F000-memory.dmp

memory/2496-102-0x0000000000400000-0x000000000041F000-memory.dmp

C:\debug.txt

MD5 2f3580057fc3a11fb56d83bf5adca673
SHA1 cd9a3521dbe6afd4fe8fb0a3af8245ccfb67690a
SHA256 5e1e06df3353d8b267839ad1aadae335a99b8d9f168607be6f551221ed09d4a7
SHA512 75da0d8e27714f2cffd70efc69b2e27c6d5b9b74883892cdfd7fe422084398e9f4e89cc1293d26fe04d843d9239a70b20101eafedaec60daf0963ae184c35d88