Malware Analysis Report

2024-11-30 04:12

Sample ID 240408-bq4z9sce2z
Target c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50
SHA256 c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50

Threat Level: Known bad

The file c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50 was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 01:21

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 01:21

Reported

2024-04-08 01:24

Platform

win7-20240221-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\spanish lesbian voyeur cock (Kathrin).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\System32\DriverStore\Temp\sperm nude public young .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\swedish handjob blowjob catfight redhair (Melissa,Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\canadian trambling girls (Melissa,Sonja).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\IME\shared\hardcore several models high heels .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\malaysia fetish sleeping black hairunshaved .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\british nude uncut beautyfull .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\IME\shared\german hardcore public boobs mature (Anniston,Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\african kicking [free] circumcision .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\gang bang lesbian bondage .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\gay [milf] .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\beastiality licking nipples traffic (Ashley).avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\tyrkish lingerie big legs .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\horse big sweet .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\british gang bang licking vagina upskirt .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\lesbian beastiality catfight .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files\Windows Journal\Templates\swedish lesbian big upskirt (Janette).rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\handjob licking (Sonja).avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\kicking uncut titts .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\italian fetish trambling girls cock shower .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\swedish gay sleeping nipples .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\xxx [bangbus] legs balls .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Google\Temp\cumshot hidden .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\italian sperm catfight wifey .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\brasilian gay blowjob voyeur .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\african action [bangbus] vagina sweet (Gina,Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\italian lesbian xxx licking boobs mature (Jenna,Kathrin).rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\british animal fucking uncut black hairunshaved .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\black lingerie beast sleeping penetration (Tatjana).mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\canadian cumshot girls .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\japanese cum fucking sleeping vagina blondie (Tatjana,Sandy).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_18a6fde3093acac7\canadian porn lingerie hidden nipples (Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\tyrkish action gay big boobs young .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\chinese gang bang hardcore uncut hole ejaculation (Sarah).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\spanish xxx girls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\asian sperm gang bang lesbian glans sm .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_aea650787d30ed8a\nude animal lesbian swallow .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\horse licking .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\nude [free] mistress .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\beastiality horse [free] .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\gang bang full movie boobs ejaculation .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\tyrkish xxx [milf] (Britney,Anniston).mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_es-es_00bfb7e81e458178\canadian cumshot full movie (Ashley).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\lesbian hardcore [bangbus] shoes (Liz,Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\indian beastiality nude catfight .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\gang bang horse [milf] .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\handjob hot (!) nipples upskirt .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\canadian cum uncut (Anniston,Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\spanish nude [free] shower .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\american xxx public .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_dba3691c6002e10e\bukkake nude girls fishy .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_94ab98ac6d213009\tyrkish gang bang public vagina .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\malaysia lingerie handjob masturbation young (Jenna).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\danish gang bang fucking licking vagina .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\brasilian action several models granny .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\russian xxx hot (!) (Ashley).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\horse cumshot several models traffic (Ashley).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\italian fetish lesbian .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\chinese kicking [free] ash ash .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\blowjob licking latex .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\chinese beast kicking hidden boots .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\norwegian trambling [free] legs (Sandy,Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\horse [bangbus] fishy .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\nude public .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\british lingerie xxx masturbation swallow .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\chinese horse licking penetration .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\american beast full movie vagina redhair .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\horse xxx masturbation boobs black hairunshaved (Sonja).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\brasilian xxx nude big sweet (Jenna).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\german fetish public blondie (Liz,Kathrin).avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\beast fetish hidden redhair .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\french fucking gay girls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\spanish xxx voyeur YEâPSè& .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\spanish sperm xxx girls ash .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\beastiality several models (Anniston).mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\swedish nude uncut young (Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8c6fc5a7aa8c435d\handjob horse several models upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\black fucking bukkake [bangbus] sm (Sonja).avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\beast sperm voyeur YEâPSè& .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\animal [bangbus] .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\asian action animal big boobs wifey .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\malaysia cumshot fucking hot (!) ejaculation .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\british nude hardcore girls hole ejaculation .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\indian blowjob [bangbus] ash .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\indian cum masturbation hole .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\indian cum cumshot catfight .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\russian animal big beautyfull .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\norwegian lingerie hidden mature .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 1248 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 1248 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 1248 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 2564 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 2564 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 2564 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 2564 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe

"C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe"

C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe

"C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe"

C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe

"C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 151.17.61.237.in-addr.arpa udp
US 8.8.8.8:53 25.60.148.185.in-addr.arpa udp
US 8.8.8.8:53 90.40.48.98.in-addr.arpa udp
US 8.8.8.8:53 227.75.221.10.in-addr.arpa udp
US 8.8.8.8:53 202.60.180.113.in-addr.arpa udp
US 8.8.8.8:53 53.74.40.226.in-addr.arpa udp
US 8.8.8.8:53 59.107.171.20.in-addr.arpa udp
US 8.8.8.8:53 117.217.211.117.in-addr.arpa udp
US 8.8.8.8:53 207.137.59.179.in-addr.arpa udp
US 8.8.8.8:53 254.181.204.230.in-addr.arpa udp
US 8.8.8.8:53 229.94.77.106.in-addr.arpa udp
US 8.8.8.8:53 218.242.78.237.in-addr.arpa udp
US 8.8.8.8:53 148.121.111.223.in-addr.arpa udp
US 8.8.8.8:53 203.230.164.238.in-addr.arpa udp
US 8.8.8.8:53 127.249.116.203.in-addr.arpa udp
US 8.8.8.8:53 168.51.12.224.in-addr.arpa udp
US 8.8.8.8:53 195.247.70.180.in-addr.arpa udp
US 8.8.8.8:53 65.9.108.204.in-addr.arpa udp
US 8.8.8.8:53 78.103.236.35.in-addr.arpa udp
US 8.8.8.8:53 204.70.1.208.in-addr.arpa udp
US 8.8.8.8:53 170.179.51.48.in-addr.arpa udp
US 8.8.8.8:53 158.223.102.83.in-addr.arpa udp

Files

memory/1248-0-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\handjob licking (Sonja).avi.exe

MD5 5f64b7de39f30fc92638977f342221c8
SHA1 68f4e90d6b19f26d3acd0282b0ff5bbc1ce31eae
SHA256 2ccbb23d52452b100e7fae81f2a93e17fe442ffb9df4e96c30e3879761d2702d
SHA512 d14523fec52a8d1c78e8fa43ddbfca788b558c1c64a196c349d3f8c34837dc93066312aadeac5936588d1e679b6f2051457f920e0243837e8087eeb0691a4508

memory/1248-53-0x0000000004CE0000-0x0000000004CFE000-memory.dmp

memory/2564-54-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2564-76-0x00000000047D0000-0x00000000047EE000-memory.dmp

memory/2892-77-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1248-94-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1248-95-0x0000000004CE0000-0x0000000004CFE000-memory.dmp

memory/2564-98-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2564-99-0x00000000047D0000-0x00000000047EE000-memory.dmp

memory/2892-100-0x0000000000400000-0x000000000041E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 01:21

Reported

2024-04-08 01:24

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\trambling fetish lesbian balls .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\hardcore lingerie hot (!) .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\asian xxx fucking [bangbus] boots (Sandy).avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\american cum lingerie full movie hairy .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\xxx lesbian .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\xxx cumshot uncut vagina redhair (Jenna).mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\brasilian horse blowjob hot (!) cock .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\porn masturbation fishy .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\indian horse licking ejaculation .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\french xxx masturbation nipples fishy (Sonja).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\sperm horse hidden .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\japanese cum several models pregnant .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\Updates\Download\tyrkish bukkake horse voyeur 40+ .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\norwegian lesbian sperm hidden hole (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files\Common Files\microsoft shared\asian lingerie full movie (Tatjana,Sandy).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\horse [bangbus] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\cum fetish masturbation vagina (Anniston,Sarah).avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\swedish beastiality nude big .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\horse hot (!) .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\malaysia lingerie public legs femdom (Gina).avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EU5927.tmp\italian lesbian uncut black hairunshaved (Samantha,Sandy).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Google\Temp\black lingerie [milf] wifey .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files\dotnet\shared\spanish nude hot (!) (Christine,Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\beast beast masturbation .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\swedish gang bang bukkake hidden bondage (Sandy).avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\italian cumshot horse hidden boots (Ashley).mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\beastiality [free] (Tatjana,Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\german nude sperm full movie .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\cumshot blowjob catfight nipples high heels (Curtney,Sonja).avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\gay sleeping nipples (Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\japanese bukkake fetish voyeur high heels (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\african fetish masturbation .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\danish nude big gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\bukkake several models shower (Tatjana).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\xxx fetish lesbian gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_c9ce604ef4cbf323\tyrkish beastiality fetish big nipples boots .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\italian horse big gorgeoushorny .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\malaysia trambling xxx public .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\spanish beast beast girls (Sonja).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\italian hardcore beastiality big vagina .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\british sperm hidden pregnant .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\african horse xxx [free] glans (Britney).rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\british animal beastiality full movie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\gang bang licking (Sylvia,Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\spanish cum hot (!) sm .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_de-de_881b257d159a5de8\bukkake public stockings .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\danish sperm sleeping .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\swedish beast lingerie lesbian legs .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\lingerie hot (!) ash .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\gay voyeur feet leather .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\sperm animal [free] Ôï (Ashley,Sonja).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_de-de_e4e52f411b7b0526\tyrkish horse cumshot hidden (Liz,Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\black handjob horse voyeur ash ejaculation .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_es-es_8da1621e0a800290\horse horse sleeping high heels .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_bca64d70c79f104b\xxx hot (!) leather .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\asian xxx licking .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\gay horse [milf] boots .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\african handjob girls (Karin,Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_67a96afcfa248327\kicking trambling [milf] boobs beautyfull .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_b201c2e68d8dbc0d\sperm sleeping fishy .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\sperm fetish lesbian feet .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\danish horse [milf] feet redhair .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\german kicking xxx several models sweet (Sylvia,Anniston).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\norwegian horse cum several models circumcision .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\Temp\gang bang beast big redhair .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\indian horse blowjob several models upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\assembly\tmp\gay lesbian granny .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\gang bang hardcore [free] Ôï .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.1_none_4a03fd12cb3f16c2\hardcore [bangbus] gorgeoushorny .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\british kicking horse uncut .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_10.0.19041.1_none_de1581e9a275faf8\french beastiality [bangbus] (Liz,Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_887b2378b7b5651d\fucking xxx [free] .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\lesbian uncut .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\fetish sleeping nipples wifey .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\lingerie beast sleeping high heels .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\british xxx horse public sm .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.1_none_6e0e425bd0e83959\norwegian horse xxx licking sm .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\russian trambling voyeur .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\french handjob kicking [free] .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\spanish cumshot kicking public nipples shower (Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\fucking lingerie licking boobs balls .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\assembly\temp\german handjob hidden .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\nude bukkake big traffic (Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\japanese beast [free] young .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\kicking several models .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\norwegian xxx hardcore several models (Ashley,Jenna).rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\sperm fucking public (Jade,Anniston).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\malaysia fetish [bangbus] .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\russian horse cumshot uncut ash ash .rar.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.1_none_fa09f84703cb02c5\chinese horse [free] pregnant .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\german sperm handjob hidden .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\black hardcore full movie 40+ .zip.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_8fafa997b9980bea\italian bukkake fetish uncut .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\hardcore beast [milf] vagina ejaculation .mpg.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3058d81cfd5218f2\danish cum lesbian .avi.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4824 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 4824 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 4824 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 4824 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 4824 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 4824 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 4992 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 4992 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe
PID 4992 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe

"C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe"

C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe

"C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe"

C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe

"C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe"

C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe

"C:\Users\Admin\AppData\Local\Temp\c7ebd8eca6b37b033ff128fba3ab963f06e0710165f7218add3843d3b64c4d50.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 71.101.236.90.in-addr.arpa udp
US 8.8.8.8:53 16.138.187.94.in-addr.arpa udp
US 8.8.8.8:53 163.220.160.104.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.186.94.25.in-addr.arpa udp
US 8.8.8.8:53 224.241.159.212.in-addr.arpa udp
US 8.8.8.8:53 33.14.202.181.in-addr.arpa udp
US 8.8.8.8:53 222.144.242.106.in-addr.arpa udp
US 8.8.8.8:53 177.4.226.44.in-addr.arpa udp
US 8.8.8.8:53 17.52.76.163.in-addr.arpa udp
US 8.8.8.8:53 222.240.105.220.in-addr.arpa udp
US 8.8.8.8:53 11.244.183.98.in-addr.arpa udp
US 8.8.8.8:53 5.78.60.102.in-addr.arpa udp
US 8.8.8.8:53 29.34.236.158.in-addr.arpa udp
US 8.8.8.8:53 254.102.5.147.in-addr.arpa udp
US 8.8.8.8:53 252.235.238.243.in-addr.arpa udp
US 8.8.8.8:53 70.232.207.136.in-addr.arpa udp
US 8.8.8.8:53 109.150.238.238.in-addr.arpa udp
US 8.8.8.8:53 175.108.106.202.in-addr.arpa udp
US 8.8.8.8:53 251.12.65.202.in-addr.arpa udp
US 8.8.8.8:53 185.226.54.75.in-addr.arpa udp
US 8.8.8.8:53 165.140.236.216.in-addr.arpa udp
US 8.8.8.8:53 202.184.37.121.in-addr.arpa udp
US 8.8.8.8:53 31.93.251.254.in-addr.arpa udp
US 8.8.8.8:53 96.133.186.4.in-addr.arpa udp
US 8.8.8.8:53 125.32.54.193.in-addr.arpa udp
US 8.8.8.8:53 79.130.224.45.in-addr.arpa udp
US 8.8.8.8:53 172.196.54.87.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/4824-0-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\swedish beastiality nude big .avi.exe

MD5 3ad2010f2e2d93582d530a67c88ba172
SHA1 59d7b058f4188bda3501f59fde4909783fa75acd
SHA256 befaa8441a2eef43ecd3210539540f37c9836f116096a0f7b6a08f4b60b9d474
SHA512 ed34b04f8ea3e767b8d8fcf31c29ffeeb66f2567e9d2e06ce5c101498cb8e47c9c9082e45bedfd02c32d65a10e65b7343e0d5602b593a7ef08b459de17c4ea2c

memory/4992-12-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3248-35-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2000-40-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4824-189-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4992-192-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3248-195-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2000-199-0x0000000000400000-0x000000000041E000-memory.dmp