Malware Analysis Report

2024-11-30 04:11

Sample ID 240408-btdbqacf2y
Target c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d
SHA256 c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d
Tags
persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d

Threat Level: Known bad

The file c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d was found to be: Known bad.

Malicious Activity Summary

persistence spyware stealer

Detects executables containing possible sandbox analysis VM usernames

Detects executables containing possible sandbox analysis VM usernames

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-08 01:25

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-08 01:25

Reported

2024-04-08 01:28

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\lingerie full movie .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\tyrkish animal blowjob masturbation boots .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\american gang bang lesbian uncut feet .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\System32\DriverStore\Temp\lingerie [milf] cock 50+ (Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\fetish blowjob several models bondage (Sonja,Melissa).rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\IME\shared\italian porn beast sleeping leather .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\blowjob uncut \× .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\american porn xxx hidden leather .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\IME\shared\tyrkish handjob blowjob masturbation .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\hardcore [milf] feet .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Journal\Templates\indian cum blowjob big (Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\russian action hardcore hot (!) beautyfull .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\horse girls feet .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\russian beastiality beast catfight titts 50+ .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\italian nude lingerie licking .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\american cum hardcore voyeur mistress .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\american cumshot horse public stockings (Christine,Sylvia).zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\american porn lesbian [free] mistress .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\beast catfight titts balls .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files\DVD Maker\Shared\american horse bukkake several models (Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Google\Temp\beast [free] titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\tyrkish beastiality bukkake uncut hole traffic (Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\trambling hidden glans .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Notebook Templates\fucking sleeping titts .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\gay [bangbus] titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Downloaded Program Files\trambling masturbation beautyfull .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\horse several models .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\chinese horse big glans 40+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\beastiality lesbian sleeping wifey .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SoftwareDistribution\Download\fucking public ìï .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_6.1.7600.16385_none_6377027f0030a06a\sperm uncut glans hairy .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\canadian blowjob big lady .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0af98f1835676d1b\hardcore hot (!) .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\brasilian horse trambling girls blondie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_de-de_60a2cbbf935c42b4\african gay [free] swallow .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_4d274741486b900c\nude fucking sleeping .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP9E41.tmp\american action lesbian [free] feet sweet (Curtney).rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE291.tmp\indian nude hardcore hot (!) .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2fc4a33adb648f33\bukkake public hole .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8bfc34b93f0fdd42\german horse hot (!) beautyfull .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_6.1.7600.16385_none_5499606faffb3f9f\german fucking hidden .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\indian horse trambling licking feet bondage .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\fetish horse hot (!) cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\indian porn horse [free] hairy .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\temp\lingerie public glans sweet (Sylvia).rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_293ea1e3e6bc5364\italian porn trambling voyeur glans .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f25d066604c2ad34\spanish bukkake licking (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_16a2bb1dbab1c595\canadian bukkake public lady .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\sperm sleeping (Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5d9f7d70ed4643fd\gang bang lingerie sleeping titts leather (Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_6b16fa9f975e1109\kicking horse girls upskirt (Jenna,Tatjana).avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\indian handjob beast full movie cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAPE56E.tmp\indian nude sperm several models mature .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-b..-bcdtemplate-client_31bf3856ad364e35_6.1.7600.16385_none_8419660d1cc97b24\bukkake [bangbus] .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_6.1.7600.16385_none_7f84cd98a7a56fd8\bukkake [free] penetration (Kathrin,Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\russian nude sperm sleeping .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_it-it_963e6ae24c653bfe\canadian lingerie public cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\black horse lingerie sleeping (Sylvia).avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\swedish handjob fucking sleeping hotel .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_6.1.7601.17514_none_4fe2107fd06efdd8\lesbian voyeur titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\tyrkish cumshot hardcore full movie mature .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_6.1.7600.16385_none_a945e2c500c90142\black cumshot bukkake hidden glans gorgeoushorny .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\lingerie lesbian hole .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fucking hot (!) cock traffic .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\black animal sperm voyeur pregnant .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\security\templates\american action horse hidden hole .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\danish porn blowjob masturbation (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_es-es_657d9a203abeb154\xxx [milf] granny .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94828572f7ddbf0f\german blowjob uncut boots .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\sperm hot (!) feet fishy .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e30b5ec05031d17d\beastiality beast catfight sm (Ashley,Karin).avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\porn xxx public (Sylvia).mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\canadian blowjob sleeping sweet (Christine,Melissa).avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor.Resources\black horse lingerie masturbation .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_f27c4f066f5c6701\french sperm masturbation ejaculation .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\lesbian big stockings .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8bc7919d3f36cee7\danish action lesbian [milf] bedroom .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_6.1.7600.16385_none_5e4ff1f4cf2dee9b\french bukkake several models femdom .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\GAC_64\Microsoft.GroupPolicy.AdmTmplEditor\danish animal beast sleeping .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2e7f079c3208e549\sperm full movie .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\InstallTemp\spanish fucking big femdom (Britney,Sarah).rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_3c93ac15fd731acf\cumshot horse catfight titts lady .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\Downloads\russian cumshot trambling lesbian (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0835101f2d90c7b6\brasilian nude sperm lesbian feet sm .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\british lingerie [bangbus] .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a3772de7111797da\canadian sperm catfight balls .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\xxx [milf] .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\animal sperm masturbation (Janette).zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
PID 2224 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
PID 2224 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
PID 2224 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
PID 2992 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
PID 2992 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
PID 2992 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
PID 2992 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe

"C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe"

C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe

"C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe"

C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe

"C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 34.39.68.126.in-addr.arpa udp
US 8.8.8.8:53 245.247.168.216.in-addr.arpa udp
US 8.8.8.8:53 51.224.164.93.in-addr.arpa udp
US 8.8.8.8:53 91.251.85.80.in-addr.arpa udp
US 8.8.8.8:53 199.64.43.104.in-addr.arpa udp
US 8.8.8.8:53 250.116.132.180.in-addr.arpa udp
US 8.8.8.8:53 112.229.238.232.in-addr.arpa udp
US 8.8.8.8:53 73.108.200.166.in-addr.arpa udp
US 8.8.8.8:53 86.175.129.43.in-addr.arpa udp
US 8.8.8.8:53 59.234.76.180.in-addr.arpa udp
US 8.8.8.8:53 134.51.7.147.in-addr.arpa udp
US 8.8.8.8:53 176.242.242.50.in-addr.arpa udp
US 8.8.8.8:53 253.49.80.228.in-addr.arpa udp
US 8.8.8.8:53 188.126.182.216.in-addr.arpa udp
US 8.8.8.8:53 180.24.199.222.in-addr.arpa udp
US 8.8.8.8:53 208.73.94.231.in-addr.arpa udp
US 8.8.8.8:53 102.184.75.31.in-addr.arpa udp
US 8.8.8.8:53 69.238.213.58.in-addr.arpa udp
US 8.8.8.8:53 216.12.92.202.in-addr.arpa udp
US 8.8.8.8:53 74.92.57.148.in-addr.arpa udp
US 8.8.8.8:53 203.57.142.194.in-addr.arpa udp
US 8.8.8.8:53 97.138.119.173.in-addr.arpa udp
US 8.8.8.8:53 226.99.160.37.in-addr.arpa udp
US 8.8.8.8:53 37.188.33.247.in-addr.arpa udp

Files

C:\Program Files\Windows Sidebar\Shared Gadgets\horse girls feet .avi.exe

MD5 fb784116f908827499ad2eb224ce85ed
SHA1 97cc0f3f8b1fad768eb689a5c752b51f95d68626
SHA256 452a4d5e51b00eb5da19b57b049a1e5244922aef41cf7456a8cd470bdde9cfea
SHA512 5c20490d63d0c180f97df7aea0fc4f303d10aa224247b471c8dbf786ec30f27866c852a74fa6c5a5c67311f5791e783a36eca4951db49f3b379f219c1f6d8d69

C:\debug.txt

MD5 322fb3f0bef77a2e1f93a03e4a65816d
SHA1 242b156c1d8c8dfea4345972ee0ff50018e00185
SHA256 2df76267bac06d3edc88aa82435b645576c9b054e56b43a94d363b3185ae5111
SHA512 6fd93b54931f9232032d1d7a564be633a681ba531a7557985e81bc2865bf4f7e31616c723ba3f8c066d0447288dd98f7397e76179e796b94c965ddf0a2b6e06d

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-08 01:25

Reported

2024-04-08 01:28

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe"

Signatures

Detects executables containing possible sandbox analysis VM usernames

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe" C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\FxsTmp\african xxx hot (!) (Samantha).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\swedish cum bukkake lesbian glans .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\lingerie big cock .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\indian handjob xxx masturbation sm (Kathrin,Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\xxx [free] upskirt .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\System32\DriverStore\Temp\lesbian lesbian feet boots .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\IME\SHARED\swedish porn fucking voyeur .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\System32\LogFiles\Fax\Incoming\lingerie catfight fishy .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\bukkake girls (Jade).zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\FxsTmp\lesbian hot (!) (Curtney).zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\tyrkish fetish horse public titts mistress (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\bukkake uncut titts bondage .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\Update\Download\bukkake [bangbus] traffic (Sonja,Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files\Common Files\microsoft shared\xxx licking titts swallow .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\japanese porn bukkake full movie hairy .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\italian gang bang hardcore public sweet .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\danish nude beast uncut sm (Kathrin,Liz).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files\dotnet\shared\american beastiality beast hidden latex (Sandy,Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\tyrkish action gay catfight ash .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\brasilian kicking lingerie hidden hole latex (Liz).rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\american cumshot lesbian hidden glans gorgeoushorny (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Google\Temp\american porn hardcore big .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\gay voyeur ash .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\beast big hotel .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\beast hot (!) bedroom .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\hardcore full movie hole (Kathrin,Sarah).mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\horse licking glans ΋ (Samantha).zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\swedish porn lingerie [free] hole 40+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\porn bukkake sleeping glans castration .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\trambling [free] sweet (Kathrin,Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\trambling [milf] titts (Sandy,Melissa).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\nude horse hot (!) cock mistress (Curtney).mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\tyrkish animal trambling public black hairunshaved .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-vsssystemprovider_31bf3856ad364e35_10.0.19041.1_none_01240756137c3159\spanish fucking several models (Janette).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_fe0807c37141be7a\xxx licking hotel .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\brasilian cum bukkake uncut sm .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Templates\american beastiality lingerie big hole swallow .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..acejoin-gptemplates_31bf3856ad364e35_10.0.19041.1_none_609f27436445f4da\swedish fetish fucking several models glans .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\brasilian nude bukkake uncut hole gorgeoushorny .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.1_none_a4f93129c473df49\nude blowjob masturbation .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\danish porn lesbian hot (!) glans shoes .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..mon-sharedresources_31bf3856ad364e35_10.0.19041.1_none_5417ea1f38dbb76b\malaysia lesbian uncut cock .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\blowjob big .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\danish animal trambling hidden feet (Sandy,Liz).zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\tmp\danish beastiality hardcore catfight cock .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\Downloaded Program Files\danish fetish fucking masturbation .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.1_none_f3b35d713ce0fc7f\african lesbian licking cock gorgeoushorny .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\fetish sperm [milf] upskirt .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_en-us_e5f85095c4bc5d16\trambling voyeur leather .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.1_none_c513167c1d0a90dd\african xxx voyeur .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\japanese gang bang fucking girls glans blondie (Karin).zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..me-jkshared-roaming_31bf3856ad364e35_10.0.19041.746_none_2212358fc33cc10f\french horse lesbian .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\horse uncut feet .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_f8d34ba1b1eb00de\gay voyeur 40+ (Anniston,Jade).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_a23e6a858fad9595\black porn xxx uncut .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\porn sperm [bangbus] hairy .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\italian action horse big black hairunshaved .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\chinese beast hot (!) .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\CbsTemp\swedish fetish lesbian [free] glans .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\black nude sperm voyeur bondage .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\hardcore several models .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..templates.resources_31bf3856ad364e35_10.0.19041.1_en-us_8dd6053a0a5910eb\norwegian beast voyeur 40+ .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_f8e978b0ed48a6bb\beastiality fucking full movie ash .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\PLA\Templates\xxx masturbation shower .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_a4327320c19e2fa7\swedish kicking beast full movie cock mistress (Curtney).mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\x86_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_4ab14109a3e1e067\trambling public .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d38ece58f77171b4\black horse trambling sleeping (Sarah).mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet_installsqlstatetemp_b03f5f7f11d50a3a_10.0.19041.1_none_03040a328f65b761\spanish fucking [milf] femdom .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\blowjob [free] feet Ôï .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\spanish sperm sleeping cock .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\action sperm several models swallow .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\spanish sperm girls glans bedroom .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\italian gang bang fucking hidden bondage (Gina,Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1_none_97e9c0335b4cd39a\horse sperm girls (Samantha).mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_0341fea186758116\danish fetish lingerie hot (!) cock traffic (Melissa).mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-uninstallsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_db70a8ec1b999dd5\german trambling masturbation .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\blowjob [milf] titts .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\brasilian gang bang blowjob uncut .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\beast [milf] (Janette).mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\mssrv.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_es-es_64c107d8bb3ade94\lingerie [milf] 40+ .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\x86_netfx4-installsqlstatetemplate_sql_b03f5f7f11d50a3a_4.0.15805.0_none_bde408a455fc3ece\horse gay licking YEâPSè& .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\russian nude trambling big hole shoes .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\swedish fetish horse hot (!) redhair .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-sharedrealitysvc_31bf3856ad364e35_10.0.19041.1_none_5a23b464e1e0b15e\indian beastiality gay big .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\beastiality sperm full movie young .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.546_none_cd016aa683e5a345\chinese lingerie girls girly .mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_2426cc56d654beaa\beast public high heels .avi.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\italian nude trambling girls cock .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet-nonwow64-shared_b03f5f7f11d50a3a_4.0.19041.1_none_d66d07dacac85e2d\lingerie masturbation wifey .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\nude xxx uncut .rar.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\assembly\NativeImages_v2.0.50727_64\Temp\tyrkish fetish horse public wifey .mpeg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\SoftwareDistribution\Download\SharedFileCache\black porn lingerie big leather .zip.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_a06b29f6c4bab99e\russian handjob lingerie voyeur girly (Gina,Liz).mpg.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 656 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
PID 656 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
PID 656 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
PID 4620 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
PID 4620 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe
PID 4620 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe

"C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe"

C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe

"C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe"

C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe

"C:\Users\Admin\AppData\Local\Temp\c9ca20d0d00ce8644fad6f4fe7c50218f810b42e19f86d73581ae67dca9b070d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.133.187.140.in-addr.arpa udp
US 8.8.8.8:53 141.4.50.22.in-addr.arpa udp
US 8.8.8.8:53 174.212.112.168.in-addr.arpa udp
US 8.8.8.8:53 160.245.72.30.in-addr.arpa udp
US 8.8.8.8:53 98.222.131.52.in-addr.arpa udp
US 8.8.8.8:53 225.147.189.33.in-addr.arpa udp
US 8.8.8.8:53 72.17.72.191.in-addr.arpa udp
US 8.8.8.8:53 184.212.177.158.in-addr.arpa udp
US 8.8.8.8:53 204.110.203.216.in-addr.arpa udp
US 8.8.8.8:53 149.92.159.1.in-addr.arpa udp
US 8.8.8.8:53 124.253.13.248.in-addr.arpa udp
US 8.8.8.8:53 147.118.28.234.in-addr.arpa udp
US 8.8.8.8:53 46.234.104.32.in-addr.arpa udp
US 8.8.8.8:53 169.60.194.225.in-addr.arpa udp
US 8.8.8.8:53 152.118.12.61.in-addr.arpa udp
US 8.8.8.8:53 123.37.129.241.in-addr.arpa udp
US 8.8.8.8:53 158.21.125.238.in-addr.arpa udp
US 8.8.8.8:53 254.77.47.156.in-addr.arpa udp
US 8.8.8.8:53 145.97.170.229.in-addr.arpa udp
US 8.8.8.8:53 106.44.67.217.in-addr.arpa udp
US 8.8.8.8:53 10.54.155.12.in-addr.arpa udp
US 8.8.8.8:53 120.128.71.40.in-addr.arpa udp
US 8.8.8.8:53 87.198.37.33.in-addr.arpa udp
US 8.8.8.8:53 138.254.3.2.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 218.45.75.85.in-addr.arpa udp
US 8.8.8.8:53 93.234.254.241.in-addr.arpa udp
US 8.8.8.8:53 43.196.12.1.in-addr.arpa udp
US 8.8.8.8:53 35.120.186.203.in-addr.arpa udp
US 8.8.8.8:53 77.19.227.180.in-addr.arpa udp
US 8.8.8.8:53 39.235.159.167.in-addr.arpa udp
US 8.8.8.8:53 165.180.149.191.in-addr.arpa udp
US 8.8.8.8:53 252.189.195.132.in-addr.arpa udp
US 8.8.8.8:53 15.235.36.250.in-addr.arpa udp
US 8.8.8.8:53 197.109.166.117.in-addr.arpa udp
US 8.8.8.8:53 138.91.8.110.in-addr.arpa udp
US 8.8.8.8:53 230.195.137.36.in-addr.arpa udp
US 8.8.8.8:53 117.163.82.230.in-addr.arpa udp
US 8.8.8.8:53 117.244.97.194.in-addr.arpa udp
US 8.8.8.8:53 109.148.90.190.in-addr.arpa udp
US 8.8.8.8:53 54.218.119.83.in-addr.arpa udp
US 8.8.8.8:53 65.62.122.152.in-addr.arpa udp
US 8.8.8.8:53 38.216.239.108.in-addr.arpa udp
US 8.8.8.8:53 225.51.220.53.in-addr.arpa udp
US 8.8.8.8:53 228.74.159.185.in-addr.arpa udp
US 8.8.8.8:53 83.168.108.48.in-addr.arpa udp
US 8.8.8.8:53 24.200.114.112.in-addr.arpa udp
US 8.8.8.8:53 63.175.231.204.in-addr.arpa udp
US 8.8.8.8:53 66.12.88.232.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 68.128.71.229.in-addr.arpa udp
US 8.8.8.8:53 160.85.81.254.in-addr.arpa udp
US 8.8.8.8:53 149.231.81.1.in-addr.arpa udp
US 8.8.8.8:53 65.227.201.6.in-addr.arpa udp
US 8.8.8.8:53 2.221.82.11.in-addr.arpa udp
US 8.8.8.8:53 87.60.28.139.in-addr.arpa udp
US 8.8.8.8:53 98.58.51.40.in-addr.arpa udp
US 8.8.8.8:53 154.214.47.118.in-addr.arpa udp
US 8.8.8.8:53 43.224.3.181.in-addr.arpa udp
US 8.8.8.8:53 189.192.68.95.in-addr.arpa udp
US 8.8.8.8:53 119.120.114.25.in-addr.arpa udp
US 8.8.8.8:53 236.66.205.47.in-addr.arpa udp
US 8.8.8.8:53 152.215.139.57.in-addr.arpa udp
US 8.8.8.8:53 157.59.138.237.in-addr.arpa udp
US 8.8.8.8:53 194.108.98.128.in-addr.arpa udp
US 8.8.8.8:53 185.130.187.110.in-addr.arpa udp
US 8.8.8.8:53 41.49.36.138.in-addr.arpa udp
US 8.8.8.8:53 138.247.130.154.in-addr.arpa udp
US 8.8.8.8:53 82.143.157.95.in-addr.arpa udp
US 8.8.8.8:53 131.21.118.28.in-addr.arpa udp
US 8.8.8.8:53 169.153.86.138.in-addr.arpa udp
US 8.8.8.8:53 204.92.149.202.in-addr.arpa udp
US 8.8.8.8:53 13.31.50.180.in-addr.arpa udp
US 8.8.8.8:53 251.48.192.75.in-addr.arpa udp
US 8.8.8.8:53 96.178.58.232.in-addr.arpa udp
US 8.8.8.8:53 102.138.162.171.in-addr.arpa udp
US 8.8.8.8:53 199.93.95.96.in-addr.arpa udp
US 8.8.8.8:53 41.185.236.229.in-addr.arpa udp
US 8.8.8.8:53 124.85.77.53.in-addr.arpa udp
US 8.8.8.8:53 77.98.240.177.in-addr.arpa udp
US 8.8.8.8:53 186.4.227.206.in-addr.arpa udp
US 8.8.8.8:53 144.59.85.131.in-addr.arpa udp
US 8.8.8.8:53 175.126.107.157.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\hardcore full movie hole (Kathrin,Sarah).mpg.exe

MD5 3dedeb0b29c7fd82f955c362f612c844
SHA1 a2dc4adc5540151fc1432bd8bd88eae1bde8c807
SHA256 bf52da888ae2f8fb0acb2682a17a48243411e43aa0a461d37857877322e2cad3
SHA512 7a297d9f2e14a53211e5a29ddd11591ca737b41e7bf515563c6f3c8fa8a2f7f281fb42a0f466a261101e07322c1ecf8a0583614e62f21a50cdf61ebf384c3572