Malware Analysis Report

2025-08-05 14:11

Sample ID 230815-sg5zmsbc76
Target dx9injector.exe
SHA256 7184d833a7e7c6d51342b7cff35e675dc467c3c8d5bfe09a7b9ac269dcd6e807
Tags
quasar blitzed spyware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7184d833a7e7c6d51342b7cff35e675dc467c3c8d5bfe09a7b9ac269dcd6e807

Threat Level: Known bad

The file dx9injector.exe was found to be: Known bad.

Malicious Activity Summary

quasar blitzed spyware themida trojan

Quasar RAT

Quasar payload

Themida packer

Looks up external IP address via web service

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-15 15:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-15 15:06

Reported

2023-08-15 15:09

Platform

win10-20230703-en

Max time kernel

0s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dx9injector.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\dx9injector.exe

"C:\Users\Admin\AppData\Local\Temp\dx9injector.exe"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE" /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe"

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe"

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Windows Security Notification" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

"C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE"

C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE

"C:\Users\Admin\AppData\Local\Temp\DX9INJECTOR.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

memory/2068-125-0x0000000000840000-0x000000000111C000-memory.dmp

memory/3340-127-0x0000000000840000-0x000000000111C000-memory.dmp

memory/2068-128-0x0000000074180000-0x0000000074250000-memory.dmp

memory/3340-129-0x0000000074180000-0x0000000074250000-memory.dmp

memory/3340-130-0x0000000074180000-0x0000000074250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

memory/2480-133-0x0000000074180000-0x0000000074250000-memory.dmp

memory/2068-132-0x0000000075780000-0x0000000075942000-memory.dmp

memory/2068-134-0x0000000074180000-0x0000000074250000-memory.dmp

memory/3340-136-0x0000000075780000-0x0000000075942000-memory.dmp

memory/2480-142-0x0000000000840000-0x000000000111C000-memory.dmp

memory/2480-143-0x0000000074180000-0x0000000074250000-memory.dmp

memory/2480-144-0x0000000075780000-0x0000000075942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

memory/1544-147-0x0000000000840000-0x000000000111C000-memory.dmp

memory/1544-149-0x0000000074180000-0x0000000074250000-memory.dmp

memory/1544-154-0x0000000075780000-0x0000000075942000-memory.dmp

memory/3340-153-0x0000000000840000-0x000000000111C000-memory.dmp

memory/1544-152-0x0000000074180000-0x0000000074250000-memory.dmp

memory/2068-151-0x0000000000840000-0x000000000111C000-memory.dmp

memory/2068-156-0x0000000000840000-0x000000000111C000-memory.dmp

memory/2480-158-0x0000000000840000-0x000000000111C000-memory.dmp

memory/3340-155-0x0000000000840000-0x000000000111C000-memory.dmp

memory/3340-162-0x0000000005970000-0x0000000005E6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

memory/3340-164-0x0000000005540000-0x00000000055D2000-memory.dmp

memory/1544-166-0x0000000000840000-0x000000000111C000-memory.dmp

memory/4936-165-0x0000000000840000-0x000000000111C000-memory.dmp

memory/2480-161-0x0000000000840000-0x000000000111C000-memory.dmp

memory/4936-167-0x0000000074180000-0x0000000074250000-memory.dmp

memory/1544-169-0x0000000000840000-0x000000000111C000-memory.dmp

memory/4936-170-0x0000000075780000-0x0000000075942000-memory.dmp

memory/4936-168-0x0000000074180000-0x0000000074250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

memory/4684-174-0x0000000000840000-0x000000000111C000-memory.dmp

memory/4684-176-0x0000000074180000-0x0000000074250000-memory.dmp

memory/2068-177-0x0000000000840000-0x000000000111C000-memory.dmp

memory/2480-178-0x00000000059E0000-0x0000000005A46000-memory.dmp

memory/2068-181-0x0000000075780000-0x0000000075942000-memory.dmp

memory/4684-184-0x0000000074180000-0x0000000074250000-memory.dmp

memory/4684-186-0x0000000075780000-0x0000000075942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

memory/3340-189-0x0000000074180000-0x0000000074250000-memory.dmp

memory/2068-191-0x0000000074180000-0x0000000074250000-memory.dmp

memory/4456-192-0x0000000000840000-0x000000000111C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

memory/3340-196-0x0000000075780000-0x0000000075942000-memory.dmp

memory/4456-198-0x0000000074180000-0x0000000074250000-memory.dmp

memory/4684-197-0x0000000000840000-0x000000000111C000-memory.dmp

memory/4456-194-0x0000000074180000-0x0000000074250000-memory.dmp

memory/2480-204-0x0000000074180000-0x0000000074250000-memory.dmp

memory/4684-193-0x0000000000840000-0x000000000111C000-memory.dmp

memory/4456-206-0x0000000075780000-0x0000000075942000-memory.dmp

memory/2480-207-0x0000000075780000-0x0000000075942000-memory.dmp

memory/2744-209-0x0000000000840000-0x000000000111C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

memory/2744-214-0x0000000074180000-0x0000000074250000-memory.dmp

memory/4964-216-0x0000000074180000-0x0000000074250000-memory.dmp

memory/2744-218-0x0000000074180000-0x0000000074250000-memory.dmp

memory/4456-217-0x0000000000840000-0x000000000111C000-memory.dmp

memory/2744-220-0x0000000000840000-0x000000000111C000-memory.dmp

memory/2744-219-0x0000000075780000-0x0000000075942000-memory.dmp

memory/4456-213-0x0000000000840000-0x000000000111C000-memory.dmp

memory/2480-190-0x0000000074180000-0x0000000074250000-memory.dmp

memory/4936-182-0x0000000000840000-0x000000000111C000-memory.dmp

memory/2068-180-0x0000000074180000-0x0000000074250000-memory.dmp

memory/4936-179-0x0000000000840000-0x000000000111C000-memory.dmp

memory/1544-225-0x0000000074180000-0x0000000074250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

memory/2744-223-0x0000000000840000-0x000000000111C000-memory.dmp

memory/4964-228-0x0000000000840000-0x000000000111C000-memory.dmp

memory/4964-229-0x0000000074180000-0x0000000074250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MICROSFT MSI.EXE.log

MD5 10ecf495fafaaeb7fdea5c8033a0fc87
SHA1 e81a0c0415cf5b13e58319e82e07f1ed5c10e491
SHA256 aaff4d50d7258fd2a5f8e6d073b6d32925d392b9f37209180f469a11d46a63b9
SHA512 87928fcbddafe42764db1de846b0349ceeb08b0af6ee190b0e4076a63c32e20a826a7e76b55f6a6786c69f3c1fc04e8e030bc1ad69c523c96b27cf75a78e53e0

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Local\Temp\MICROSFT MSI.EXE

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955

C:\Users\Admin\AppData\Roaming\SubDir\Microsoft Host Sercurity.exe

MD5 e98d16cdcee8e9ffbc05b09288848aaa
SHA1 b3a603b26707dd3ef26b9795f86859d517a4ae28
SHA256 e3900c6d24732529821fc0dd84b4c767352e244dca8386ea51b51d43baf386cb
SHA512 0a7b60a778fc3c851cc2b1e73510f919dcc9d464d239ad1835cd55c020f656762883e45a67a38cccb5c22c13be795c3d5f87044baf11b75291d5bc1dff5d5955