Malware Analysis Report

2024-11-30 04:11

Sample ID 240408-bqe15scd9v
Target c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600
SHA256 c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600
Tags
upx persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600

Threat Level: Known bad

The file c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600 was found to be: Known bad.

Malicious Activity Summary

upx persistence spyware stealer

UPX dump on OEP (original entry point)

Detects executables containing possible sandbox analysis VM usernames

UPX dump on OEP (original entry point)

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 01:20

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 01:20

Reported

2024-04-08 01:23

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\DriverStore\Temp\fucking uncut Ôë .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\lingerie lesbian hole .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\xxx catfight hole 40+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\IME\shared\tyrkish cumshot lingerie masturbation boots .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\indian handjob horse girls upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\swedish action bukkake sleeping titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\trambling girls mature (Anniston,Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\italian kicking sperm uncut feet mature .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\russian cum trambling lesbian .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\IME\shared\american fetish hardcore masturbation titts bedroom .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\Templates\black action hardcore sleeping ìï .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\lesbian public latex (Sonja,Karin).mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files\DVD Maker\Shared\brasilian horse xxx [bangbus] balls .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\beast catfight .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\hardcore [bangbus] ¤ã .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\beast sleeping high heels .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Google\Temp\blowjob lesbian feet .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\american action xxx girls feet 50+ (Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\indian cum lingerie [bangbus] .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files\Windows Journal\Templates\swedish horse sperm full movie cock young (Tatjana).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\indian fetish bukkake sleeping glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\beast sleeping ash .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\gay catfight (Tatjana).rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\lingerie big glans femdom .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\xxx several models titts penetration (Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_515dc677700303ec\malaysia xxx big leather .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\Downloaded Program Files\tyrkish porn trambling uncut cock .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\japanese cumshot lingerie public titts mature (Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65b23d3c3a97bfaf\malaysia beast several models cock .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\swedish cum hardcore voyeur bondage .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ac4ebfc358e5ec0\canadian gay licking feet .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_microsoft.grouppolicy.admtmpleditor_31bf3856ad364e35_6.1.7601.17514_none_dd18b2a07d49aa11\handjob beast catfight circumcision (Ashley,Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\sperm lesbian titts leather .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP6B8E.tmp\gay [bangbus] titts girly .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\canadian xxx [milf] .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_6.1.7600.16385_none_49dd84a06c7c8863\animal trambling voyeur shower .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_bcc167434bb9b3ea\bukkake public .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\italian cum hardcore [milf] sweet .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\gang bang sperm [free] upskirt (Sandy,Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\italian horse lesbian public cock hotel (Janette).avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\gang bang gay public .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\british lesbian girls .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-systempropertiesremote_31bf3856ad364e35_6.1.7600.16385_none_f0ca3430257ea13f\danish cumshot lesbian voyeur shower .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_6.1.7600.16385_none_a727eb798dcfb185\japanese beastiality hardcore [bangbus] .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_f3c374fc18118ca2\british xxx hidden .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\Temp\danish handjob xxx sleeping balls .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\norwegian sperm [free] .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_095efe9c8261401e\american horse horse catfight shower .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\danish cumshot horse hot (!) glans .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\porn hardcore hot (!) (Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\nude xxx big hole .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\cum lesbian several models granny .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\norwegian sperm hidden feet .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\assembly\tmp\russian beastiality bukkake sleeping .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\japanese nude lingerie [milf] cock ash (Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\french sperm girls feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_bacc7ceffc55dca2\gang bang trambling voyeur glans (Britney,Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\indian cum sperm girls glans hotel (Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0993a1b8823a4e79\trambling big cock .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\security\templates\tyrkish porn beast [milf] ìï .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\animal gay sleeping (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\nude horse voyeur feet high heels .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\bukkake big wifey .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\british fucking [bangbus] mistress (Sandy,Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-m..-temptable-provider_31bf3856ad364e35_6.1.7600.16385_none_1dd3ce8d1e7524cd\trambling [bangbus] cock (Anniston,Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\japanese action fucking hot (!) (Janette).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\lesbian big cock fishy (Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\british sperm [free] feet (Kathrin,Samantha).avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_97a45841ff925aa0\brasilian action xxx hot (!) feet gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\nude beast public hole .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\bukkake [bangbus] swallow (Sonja,Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\japanese horse trambling uncut titts girly (Melissa).zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\horse full movie cock penetration .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_de-de_6208b91f46896156\swedish kicking bukkake [bangbus] .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\italian nude horse girls castration .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\porn hardcore uncut cock .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\canadian trambling big cock girly .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\fucking uncut cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\black porn lesbian sleeping feet latex .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\horse hot (!) balls .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\canadian fucking voyeur (Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\fucking masturbation .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\chinese blowjob public .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_00225053e03f4c04\cum trambling [free] granny .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\handjob hardcore lesbian cock high heels (Jade).avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\black cumshot hardcore several models stockings .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_664dbffec8693dfe\african beast [bangbus] cock stockings .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\japanese porn hardcore uncut hole shoes .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\horse hardcore [milf] feet ejaculation (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 1656 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 1656 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 1656 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 1656 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 1656 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 1656 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 1656 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 2500 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 2500 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 2500 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 2500 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe

"C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe"

C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe

"C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe"

C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe

"C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe"

C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe

"C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 213.200.35.17.in-addr.arpa udp
US 8.8.8.8:53 97.143.224.189.in-addr.arpa udp
US 8.8.8.8:53 201.24.95.55.in-addr.arpa udp
US 8.8.8.8:53 226.25.123.240.in-addr.arpa udp
US 8.8.8.8:53 232.67.111.121.in-addr.arpa udp
US 8.8.8.8:53 88.211.211.62.in-addr.arpa udp
US 8.8.8.8:53 198.67.4.76.in-addr.arpa udp
US 8.8.8.8:53 212.47.66.183.in-addr.arpa udp
US 8.8.8.8:53 63.209.182.235.in-addr.arpa udp
US 8.8.8.8:53 112.166.226.162.in-addr.arpa udp
US 8.8.8.8:53 94.74.151.115.in-addr.arpa udp
US 8.8.8.8:53 9.110.222.70.in-addr.arpa udp
US 8.8.8.8:53 205.196.67.95.in-addr.arpa udp
US 8.8.8.8:53 231.59.244.135.in-addr.arpa udp
US 8.8.8.8:53 157.87.141.83.in-addr.arpa udp
US 8.8.8.8:53 210.38.179.196.in-addr.arpa udp
US 8.8.8.8:53 1.149.91.88.in-addr.arpa udp
US 8.8.8.8:53 203.209.105.248.in-addr.arpa udp
US 8.8.8.8:53 154.102.182.160.in-addr.arpa udp
US 8.8.8.8:53 145.30.42.136.in-addr.arpa udp
US 8.8.8.8:53 201.59.38.85.in-addr.arpa udp

Files

memory/1656-0-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Program Files\Windows Sidebar\Shared Gadgets\beast sleeping high heels .rar.exe

MD5 03cc7ee36f2b249ef9cd099d07c2029b
SHA1 901df7143444f76eaaeeec0998695c2df27ee05a
SHA256 35cc0d839cec355317131dcc43bd81fa98d21a5da3a33ef4cbd548d51f1d4dd3
SHA512 baf1760bf3d2ce9820eedb71714a645f00b0ecf96b93db4e77de5726d959e8bafbfe83e7715eb2024b6b4c38e85c9a82413adf67d2b652779d3ba4b38101164d

memory/1656-14-0x0000000005040000-0x000000000505C000-memory.dmp

memory/2500-15-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2700-53-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2500-54-0x0000000004A40000-0x0000000004A5C000-memory.dmp

memory/1656-88-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2500-89-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1656-90-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2700-91-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2476-92-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1656-93-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1656-94-0x0000000005040000-0x000000000505C000-memory.dmp

memory/2500-96-0x0000000004A40000-0x0000000004A5C000-memory.dmp

memory/1656-100-0x0000000000400000-0x000000000041C000-memory.dmp

C:\debug.txt

MD5 c649f309570119bea58bc196ac6f049b
SHA1 2571b70a603079c7634ac08b0a4ce7b8a6efb10b
SHA256 f4ca14c0969df574eaf3e4e25157a745273053c98f8c028bdc0697e37be5cac3
SHA512 f102136c73da1d04509057656a10d9747e4758267d688d51898cf12652a842e2e9881f7c0ca757c29acfd0ff11322e5febd7a6908c96a8b6c184346b95a6353d

memory/1656-114-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1656-118-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1656-122-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1656-126-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1656-130-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1656-136-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1656-140-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1656-144-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1656-148-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1656-152-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1656-156-0x0000000000400000-0x000000000041C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 01:20

Reported

2024-04-08 01:23

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\danish bukkake fucking [free] beautyfull .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\swedish handjob sperm [free] .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\kicking porn uncut vagina .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\malaysia sperm lesbian [free] boobs hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\black trambling catfight ash girly .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\xxx several models .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\System32\DriverStore\Temp\malaysia beast cumshot [free] .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\canadian horse [milf] hole sm .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\german lesbian [bangbus] glans (Samantha,Christine).zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\cum full movie cock fishy .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\hardcore voyeur (Sarah,Sonja).mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\danish fetish hot (!) .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\spanish handjob cumshot voyeur .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Google\Temp\kicking several models shoes .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\handjob sleeping high heels .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files\dotnet\shared\chinese lingerie [free] pregnant (Ashley).zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\cumshot gang bang several models granny .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\italian xxx full movie 50+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\bukkake beast public feet .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\beast nude uncut mature .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\african porn bukkake sleeping .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\african beastiality cum public hotel .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\black trambling sleeping wifey .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files\Common Files\microsoft shared\lingerie licking mature .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\gay [milf] femdom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\german blowjob licking .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\handjob uncut cock shower (Karin,Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\beast big .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\chinese xxx licking .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\beastiality trambling voyeur wifey .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\chinese lingerie hardcore sleeping black hairunshaved .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_3d077a9cd5de5151\american animal several models boobs pregnant .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_56c05939711f0938\indian cumshot blowjob [milf] .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\hardcore [free] vagina .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\horse hidden feet castration (Janette,Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\african gang bang [bangbus] hole penetration (Sandy,Ashley).rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\swedish fucking fetish [free] boots .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-ntlmshared_31bf3856ad364e35_10.0.19041.1_none_734900fc110387b6\malaysia blowjob lesbian [milf] vagina mistress .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\lingerie animal voyeur hotel .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\canadian horse action lesbian hole lady .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\indian hardcore fucking [free] (Sonja,Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\Temp\french animal hardcore girls sweet .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_b597a55b603b537d\cumshot several models titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\sperm masturbation hairy .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\action hardcore full movie young .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\Downloads\hardcore hidden shower .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\cumshot cum full movie girly .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_4c5922428a6f2d08\danish action cum licking .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\danish bukkake hidden .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\italian lingerie masturbation bondage .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5021dd18efc0460c\japanese lesbian licking high heels (Sarah,Sonja).zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\fetish cum uncut (Anniston).zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\fucking lesbian [milf] hole sm (Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\british handjob handjob uncut glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\danish lesbian fetish licking (Sandy,Janette).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\assembly\tmp\swedish cum masturbation ejaculation .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\action cum girls boobs .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_d9e58b774d1b6e80\canadian action porn [milf] cock mistress .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\chinese porn beast [milf] .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\blowjob uncut .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\cum lesbian ash young .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.746_none_aaeae146be52e178\black porn gang bang girls ash girly .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_en-us_8dd6053a0a5910eb\italian fucking fucking full movie pregnant .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\british blowjob gay lesbian Ôï .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\malaysia hardcore blowjob masturbation Ôï .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\horse big bedroom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_it-it_56adcc94becfef03\fetish animal masturbation latex .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\asian bukkake girls nipples (Jenna,Gina).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\gay horse girls wifey (Ashley,Sylvia).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\fucking hardcore [free] bondage .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\blowjob trambling public granny (Gina).rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\kicking [bangbus] shoes (Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\french beastiality beast [free] .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_en-us_bfae5918c0443f83\lingerie [milf] boobs bedroom .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\swedish nude masturbation .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\danish beastiality public glans (Melissa,Kathrin).rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..mon-sharedresources_31bf3856ad364e35_10.0.19041.1_none_5417ea1f38dbb76b\african xxx [free] cock .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\gay nude licking .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.1_none_e32b64807ab11fd2\tyrkish blowjob lesbian fishy .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\american horse cum sleeping black hairunshaved .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\beast bukkake several models mistress (Sandy).avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\asian beast sleeping femdom (Sylvia,Jenna).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\gay several models swallow .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\german gay gay catfight 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\black cum several models femdom (Sarah,Jenna).avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.546_none_a93e4a2569276206\asian gang bang gang bang sleeping glans 40+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_d980e9752d51efac\american fetish [free] femdom .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_56cd15352969a8d0\swedish gang bang [free] .rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\japanese fucking bukkake [free] vagina .avi.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\norwegian beast girls pregnant (Kathrin,Christine).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\gang bang several models hole hairy (Anniston,Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\german fucking masturbation (Anniston,Jade).rar.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\french bukkake hardcore [bangbus] .mpg.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_c6da8048542fddc7\brasilian fucking hot (!) sweet .zip.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3952 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 3952 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 3952 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 3952 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 3952 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 3952 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 2244 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 2244 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe
PID 2244 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe

"C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe"

C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe

"C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe"

C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe

"C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe"

C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe

"C:\Users\Admin\AppData\Local\Temp\c796049d73eaaf2127ac3a692d5ee8246122c865db04d427a165f146abd1d600.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 139.34.175.251.in-addr.arpa udp
US 8.8.8.8:53 95.208.136.148.in-addr.arpa udp
US 8.8.8.8:53 179.221.10.11.in-addr.arpa udp
US 8.8.8.8:53 90.87.189.66.in-addr.arpa udp
US 8.8.8.8:53 105.49.227.5.in-addr.arpa udp
US 8.8.8.8:53 75.195.60.74.in-addr.arpa udp
US 8.8.8.8:53 121.218.161.97.in-addr.arpa udp
US 8.8.8.8:53 33.230.120.205.in-addr.arpa udp
US 8.8.8.8:53 170.197.38.254.in-addr.arpa udp
US 8.8.8.8:53 215.179.13.84.in-addr.arpa udp
US 8.8.8.8:53 98.105.52.52.in-addr.arpa udp
US 8.8.8.8:53 19.244.21.39.in-addr.arpa udp
US 8.8.8.8:53 101.249.68.152.in-addr.arpa udp
US 8.8.8.8:53 224.88.146.8.in-addr.arpa udp
US 8.8.8.8:53 103.7.3.10.in-addr.arpa udp
US 8.8.8.8:53 236.45.192.67.in-addr.arpa udp
US 8.8.8.8:53 166.202.153.233.in-addr.arpa udp
US 8.8.8.8:53 232.102.204.197.in-addr.arpa udp
US 8.8.8.8:53 223.200.92.68.in-addr.arpa udp
US 8.8.8.8:53 232.3.208.82.in-addr.arpa udp
US 8.8.8.8:53 9.157.209.230.in-addr.arpa udp
US 8.8.8.8:53 186.177.124.152.in-addr.arpa udp
US 8.8.8.8:53 250.128.85.115.in-addr.arpa udp
US 8.8.8.8:53 231.148.105.232.in-addr.arpa udp
US 8.8.8.8:53 134.100.232.93.in-addr.arpa udp
US 8.8.8.8:53 100.124.215.110.in-addr.arpa udp
US 8.8.8.8:53 154.97.48.71.in-addr.arpa udp
US 8.8.8.8:53 253.141.4.5.in-addr.arpa udp
US 8.8.8.8:53 115.37.219.162.in-addr.arpa udp
US 8.8.8.8:53 95.110.183.71.in-addr.arpa udp
US 8.8.8.8:53 162.227.68.32.in-addr.arpa udp
US 8.8.8.8:53 84.212.237.205.in-addr.arpa udp
US 8.8.8.8:53 252.226.207.88.in-addr.arpa udp
US 8.8.8.8:53 138.168.202.6.in-addr.arpa udp
US 8.8.8.8:53 167.243.226.72.in-addr.arpa udp
US 8.8.8.8:53 216.54.38.211.in-addr.arpa udp
US 8.8.8.8:53 82.29.71.16.in-addr.arpa udp
US 8.8.8.8:53 220.35.190.207.in-addr.arpa udp
US 8.8.8.8:53 177.35.33.157.in-addr.arpa udp
US 8.8.8.8:53 114.1.175.102.in-addr.arpa udp
US 8.8.8.8:53 150.247.224.48.in-addr.arpa udp
US 8.8.8.8:53 187.185.43.31.in-addr.arpa udp
US 8.8.8.8:53 58.49.255.10.in-addr.arpa udp
US 8.8.8.8:53 181.163.178.71.in-addr.arpa udp
US 8.8.8.8:53 223.238.198.25.in-addr.arpa udp
US 8.8.8.8:53 250.45.21.40.in-addr.arpa udp
US 8.8.8.8:53 120.213.228.192.in-addr.arpa udp
US 8.8.8.8:53 175.40.204.249.in-addr.arpa udp
US 8.8.8.8:53 61.135.135.111.in-addr.arpa udp
US 8.8.8.8:53 21.65.211.190.in-addr.arpa udp
US 8.8.8.8:53 2.43.80.1.in-addr.arpa udp
US 8.8.8.8:53 110.165.132.100.in-addr.arpa udp
US 8.8.8.8:53 232.15.129.105.in-addr.arpa udp
US 8.8.8.8:53 130.42.191.82.in-addr.arpa udp
US 8.8.8.8:53 20.189.35.59.in-addr.arpa udp
US 8.8.8.8:53 110.122.120.221.in-addr.arpa udp
US 8.8.8.8:53 150.87.250.203.in-addr.arpa udp
US 8.8.8.8:53 61.132.98.237.in-addr.arpa udp
US 8.8.8.8:53 198.159.249.34.in-addr.arpa udp
US 8.8.8.8:53 45.251.33.48.in-addr.arpa udp
US 8.8.8.8:53 22.53.29.94.in-addr.arpa udp
US 8.8.8.8:53 99.104.167.82.in-addr.arpa udp
US 8.8.8.8:53 187.46.7.48.in-addr.arpa udp
US 8.8.8.8:53 27.84.36.88.in-addr.arpa udp
US 8.8.8.8:53 179.129.114.63.in-addr.arpa udp
US 8.8.8.8:53 168.223.188.112.in-addr.arpa udp
US 8.8.8.8:53 247.105.146.51.in-addr.arpa udp
US 8.8.8.8:53 196.201.49.121.in-addr.arpa udp
US 8.8.8.8:53 37.94.69.253.in-addr.arpa udp
US 8.8.8.8:53 19.144.251.32.in-addr.arpa udp
US 8.8.8.8:53 141.111.102.18.in-addr.arpa udp
US 8.8.8.8:53 140.170.84.160.in-addr.arpa udp
US 8.8.8.8:53 67.201.69.98.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 223.149.162.34.in-addr.arpa udp
US 8.8.8.8:53 79.205.64.147.in-addr.arpa udp

Files

memory/3952-0-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\cumshot gang bang several models granny .mpeg.exe

MD5 e93ed4cd94d66909f215f83d8053582d
SHA1 3618f699a9904055be27308b03e0d98fb35ae370
SHA256 d60d2217abf459b26ce38116486671dc82ca9f2db30944a8d754c8fec1902b34
SHA512 28bcfc24958102f54cdb5158ff3d6be7c38aad1fc225a3ec96dc90391ded3925d72796c6f19b26ac9f216c7dbb898451c543a17e73047b8af824682651453b6e

memory/2244-43-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-184-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4452-186-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4032-187-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-188-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-190-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-196-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-206-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-210-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-215-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-219-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-223-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-227-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-231-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-235-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-239-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-243-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3952-247-0x0000000000400000-0x000000000041C000-memory.dmp