Analysis Overview
SHA256
cc95c0db419de3ca25709f4c1abc74ebdb72947b1d4d7e35b4ab6c36ffdee484
Threat Level: Known bad
The file quarantine.7z was found to be: Known bad.
Malicious Activity Summary
Amadey
Amadey family
Xworm
Detect Xworm Payload
Systembc family
Lumma Stealer, LummaC
Xworm family
SystemBC
Vidar family
Lumma family
Vidar
Detect Vidar Stealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Downloads MZ/PE file
Reads user/profile data of local email clients
Checks computer location settings
Identifies Wine through registry keys
Checks BIOS information in registry
Executes dropped EXE
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Loads dropped DLL
Reads data files stored by FTP clients
.NET Reactor proctector
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Blocklisted process makes network request
Enumerates connected drives
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
AutoIT Executable
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Program crash
System Location Discovery: System Language Discovery
Browser Information Discovery
Event Triggered Execution: Installer Packages
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Gathers network information
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Delays execution with timeout.exe
Checks processor information in registry
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-02-25 22:21
Signatures
Amadey family
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral28
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
131s
Max time network
149s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddcedbbabcc = "\"C:\\ProgramData\\ddcedbbabcc.exe\"" | C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3612 wrote to memory of 3568 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe | C:\Windows\Explorer.EXE |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3612-0-0x00007FF76BFF0000-0x00007FF76C08F000-memory.dmp
memory/3568-2-0x0000000002B50000-0x0000000002BF5000-memory.dmp
memory/3568-1-0x0000000002B50000-0x0000000002BF5000-memory.dmp
memory/3612-5-0x00007FF76BFF0000-0x00007FF76C08F000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
126s
Max time network
150s
Command Line
Signatures
Reads user/profile data of local email clients
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4588 set thread context of 2528 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4588 -ip 4588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 788
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | presentymusse.world | udp |
| US | 172.67.169.190:443 | presentymusse.world | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 172.67.169.190:443 | presentymusse.world | tcp |
| US | 172.67.169.190:443 | presentymusse.world | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4588-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp
memory/4588-1-0x0000000000870000-0x00000000008CC000-memory.dmp
memory/4588-2-0x0000000005670000-0x0000000005C14000-memory.dmp
memory/2528-4-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2528-6-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4588-7-0x0000000074CC0000-0x0000000075470000-memory.dmp
memory/2528-8-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2528-9-0x0000000000400000-0x000000000045E000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
135s
Max time network
146s
Command Line
Signatures
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of local email clients
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4940 set thread context of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4940 -ip 4940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 800
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | pirtyoffensiz.bet | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 172.67.216.4:443 | hobbyedsmoker.live | tcp |
| US | 172.67.216.4:443 | hobbyedsmoker.live | tcp |
| US | 172.67.216.4:443 | hobbyedsmoker.live | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4940-0-0x0000000074EFE000-0x0000000074EFF000-memory.dmp
memory/4940-1-0x0000000000B10000-0x0000000000BE6000-memory.dmp
memory/4940-2-0x0000000005D00000-0x00000000062A4000-memory.dmp
memory/4940-3-0x0000000074EF0000-0x00000000756A0000-memory.dmp
memory/1368-5-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1368-7-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4940-8-0x0000000074EF0000-0x00000000756A0000-memory.dmp
memory/1368-9-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1368-10-0x0000000000400000-0x000000000045E000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20240903-en
Max time kernel
121s
Max time network
124s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Reads user/profile data of local email clients
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2464 set thread context of 2284 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 504
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paleboreei.biz | udp |
| US | 172.67.181.243:443 | paleboreei.biz | tcp |
| US | 172.67.181.243:443 | paleboreei.biz | tcp |
| US | 172.67.181.243:443 | paleboreei.biz | tcp |
Files
memory/2464-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp
memory/2464-1-0x0000000000800000-0x000000000085C000-memory.dmp
memory/2284-4-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2284-10-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2284-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2284-12-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2284-7-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2284-6-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2284-5-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2284-3-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2464-13-0x0000000074E90000-0x000000007557E000-memory.dmp
memory/2284-14-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2284-15-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2464-16-0x0000000074E90000-0x000000007557E000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
98s
Max time network
128s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\Cv5YtUn.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Cv5YtUn.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20241023-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
Reads user/profile data of local email clients
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | decreaserid.world | udp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 104.21.78.43:443 | hobbyedsmoker.live | tcp |
| US | 104.21.78.43:443 | hobbyedsmoker.live | tcp |
| US | 104.21.78.43:443 | hobbyedsmoker.live | tcp |
Files
memory/2588-0-0x00000000012A0000-0x00000000015B3000-memory.dmp
memory/2588-1-0x00000000773F0000-0x00000000773F2000-memory.dmp
memory/2588-2-0x00000000012A1000-0x00000000012CB000-memory.dmp
memory/2588-3-0x00000000012A0000-0x00000000015B3000-memory.dmp
memory/2588-4-0x00000000012A0000-0x00000000015B3000-memory.dmp
memory/2588-5-0x00000000012A0000-0x00000000015B3000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20241023-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\nahprot.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\Admin\AppData\Roaming\nahprot.bat' -ArgumentList 'gOsYxjsoymkBmrzpQYy' -WindowStyle Hidden"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\nahprot.bat" gOsYxjsoymkBmrzpQYy "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"
C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /i WDS100T2B0A
Network
Files
memory/1980-0-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp
memory/1980-1-0x0000000000A40000-0x000000000146E000-memory.dmp
C:\Users\Admin\AppData\Roaming\nahprot.bat
| MD5 | 4eb348c6ecbb8c6e4c5543fc254ce626 |
| SHA1 | f24923fcd2bb9148270e08622fa6c1079aa81fe1 |
| SHA256 | f1a5969e8b42932f80dc6e74d3301f120cba27a0b27ba2c92ebef7539a89e633 |
| SHA512 | 69b48d17bd205092d3cf3c856ce3920b922f2b701294299b9097613b74acce3d8b866f96557ba532b973f6b321b1705251feb9f85af2edf54aa75c032fae878f |
memory/1476-15-0x0000000002B60000-0x0000000002BE0000-memory.dmp
memory/1476-16-0x000000001B480000-0x000000001B762000-memory.dmp
memory/1476-17-0x00000000027A0000-0x00000000027A8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 2a36368aea2f3b873f2c3a920cfbc2c2 |
| SHA1 | 9ba0a0fac7842eb13fdf1d9bea64625fd7c11446 |
| SHA256 | 2c45c3e87421f6cac4c487ef7ad12eb8a0fbaf8e049fcf7502ceb8469fc2da7e |
| SHA512 | a9041a20b51a338ad8ece74d1ab691c9f8a94069a8bfac0765979217f5eb36e3b95e34d5a236cdea2de5181c94b8a21a1eaf9225c737206815760e863ed93393 |
memory/2260-23-0x000000001B570000-0x000000001B852000-memory.dmp
memory/2260-24-0x0000000001F00000-0x0000000001F08000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20241010-en
Max time kernel
121s
Max time network
153s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 524 set thread context of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.21:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | appengine.google.com | udp |
| TR | 94.156.227.220:7000 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 2.23.205.233:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.99:80 | crl.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar1E80.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
memory/2668-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2668-62-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2668-66-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2668-65-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2668-59-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2668-56-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2668-54-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2668-55-0x0000000000400000-0x000000000043C000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
140s
Max time network
155s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | bitbucket.org | N/A | N/A |
| N/A | bitbucket.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1596 set thread context of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| IE | 185.166.142.22:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | appengine.google.com | udp |
| TR | 94.156.227.220:7000 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/2804-6-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2804-7-0x0000000073BAE000-0x0000000073BAF000-memory.dmp
memory/2804-8-0x0000000005230000-0x00000000052CC000-memory.dmp
memory/2804-9-0x0000000073BA0000-0x0000000074350000-memory.dmp
memory/2804-10-0x0000000005780000-0x00000000057E6000-memory.dmp
memory/2804-11-0x0000000073BAE000-0x0000000073BAF000-memory.dmp
memory/2804-12-0x0000000073BA0000-0x0000000074350000-memory.dmp
memory/2804-13-0x00000000060B0000-0x0000000006142000-memory.dmp
memory/2804-14-0x0000000006700000-0x0000000006CA4000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
120s
Max time network
147s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
Reads user/profile data of local email clients
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 172.67.216.4:443 | tcp | |
| US | 172.67.216.4:443 | hobbyedsmoker.live | tcp |
| US | 172.67.216.4:443 | hobbyedsmoker.live | tcp |
| IE | 20.223.35.26:443 | tcp | |
| IE | 20.223.35.26:443 | tcp | |
| IE | 20.223.35.26:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4256-0-0x0000000000CE0000-0x0000000000FE9000-memory.dmp
memory/4256-1-0x00000000771B4000-0x00000000771B6000-memory.dmp
memory/4256-2-0x0000000000CE1000-0x0000000000D0B000-memory.dmp
memory/4256-3-0x0000000000CE0000-0x0000000000FE9000-memory.dmp
memory/4256-4-0x0000000000CE0000-0x0000000000FE9000-memory.dmp
memory/4256-5-0x0000000000CE0000-0x0000000000FE9000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
139s
Max time network
137s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
Reads user/profile data of local email clients
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe"
Network
| Country | Destination | Domain | Proto |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | decreaserid.world | udp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 104.21.78.43:443 | hobbyedsmoker.live | tcp |
| US | 104.21.78.43:443 | hobbyedsmoker.live | tcp |
| US | 104.21.78.43:443 | hobbyedsmoker.live | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1884-0-0x0000000000C40000-0x0000000000F53000-memory.dmp
memory/1884-1-0x0000000077B44000-0x0000000077B46000-memory.dmp
memory/1884-2-0x0000000000C41000-0x0000000000C6B000-memory.dmp
memory/1884-3-0x0000000000C40000-0x0000000000F53000-memory.dmp
memory/1884-4-0x0000000000C40000-0x0000000000F53000-memory.dmp
memory/1884-5-0x0000000000C40000-0x0000000000F53000-memory.dmp
memory/1884-6-0x0000000000C40000-0x0000000000F53000-memory.dmp
memory/1884-7-0x0000000000C40000-0x0000000000F53000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20240729-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Amadey
Amadey family
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\dnao\rbsmife.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\dnao\rbsmife.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\dnao\rbsmife.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| N/A | N/A | C:\ProgramData\dnao\rbsmife.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\ProgramData\dnao\rbsmife.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| N/A | N/A | C:\ProgramData\dnao\rbsmife.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\dnao\rbsmife.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| N/A | N/A | C:\ProgramData\dnao\rbsmife.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe
"C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {3279D3F4-691F-49DA-8C18-18C8B088C80A} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
C:\ProgramData\dnao\rbsmife.exe
C:\ProgramData\dnao\rbsmife.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| DE | 104.194.157.122:80 | 104.194.157.122 | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| DE | 93.186.202.3:4000 | towerbingobongoboom.com | tcp |
| DE | 93.186.202.3:5111 | towerbingobongoboom.com | tcp |
Files
memory/2096-0-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/2096-1-0x0000000077D40000-0x0000000077D42000-memory.dmp
memory/2096-2-0x0000000000AB1000-0x0000000000ADF000-memory.dmp
memory/2096-3-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/2096-5-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
| MD5 | e3db5749715032f09380e2b83170df85 |
| SHA1 | 5eba9270b0a48ffda040d10e08aef49acbb4452d |
| SHA256 | 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe |
| SHA512 | 682cd0e0a9c915b6c7b0b95186c18536167059920abe8afd92efa7259f6a5d918a4e7a7da7c32f44bc62e6d16fd8988ea046a21429b83bbe37457fdf3e77e199 |
memory/2096-18-0x0000000006C10000-0x00000000070CD000-memory.dmp
memory/2096-20-0x0000000006C10000-0x00000000070CD000-memory.dmp
memory/2812-21-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/2096-17-0x0000000000AB0000-0x0000000000F6D000-memory.dmp
memory/2812-22-0x0000000000EA1000-0x0000000000ECF000-memory.dmp
memory/2812-23-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/2812-26-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/2812-25-0x0000000000EA0000-0x000000000135D000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe
| MD5 | 22b7fa9d7ece61a0e0a7a0e9b130e311 |
| SHA1 | 00329bc46fab8e69da98e11894e7249fc4b5199f |
| SHA256 | 0acada86bfe4cbdc97544e147207bcee377948415acb32223fe6a69716591c8f |
| SHA512 | cbc289aaf8a12863fc5d27443daea89e90045805b110eb2a4eabbfa2afb185651355dcffcb9a8188801786e2a07aa7198d31aba8d3bc4c2f8bcfea66033260b9 |
memory/2812-42-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/2812-43-0x0000000006E00000-0x0000000007246000-memory.dmp
memory/2044-45-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-44-0x0000000006E00000-0x0000000007246000-memory.dmp
memory/2812-49-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/2812-50-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/2812-51-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/2812-52-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/2812-53-0x0000000006E00000-0x0000000007246000-memory.dmp
memory/2044-56-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-55-0x0000000006E00000-0x0000000007246000-memory.dmp
memory/2044-54-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-57-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/2044-58-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-59-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/2044-60-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-61-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/2044-62-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-63-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/2044-64-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-65-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/1984-68-0x0000000000400000-0x0000000000846000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | 900d8ea41149a4bc1d0bc27b8178287c |
| SHA1 | 583e385ffa18b2bc1247e82dce18ec48826d7237 |
| SHA256 | 8c761b26944c1136b004791bc0924f71976a8db069e0caf4c5aee93ad46370c7 |
| SHA512 | e5296bea28e9f65dac0dda22c415b64b79b866da928cf3b074d2c44e6dded8764a8ed1909728ad01a09a09b264e16f670588fe8979093339ef501b0def195e68 |
memory/2044-70-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-71-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/1984-72-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1984-73-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-74-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/1984-75-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-76-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/1984-77-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-78-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/1984-79-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-80-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/1984-81-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-82-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/1984-83-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-84-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/1984-85-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2812-86-0x0000000000EA0000-0x000000000135D000-memory.dmp
memory/1984-87-0x0000000000400000-0x0000000000846000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Reads user/profile data of local email clients
Checks installed software on the system
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dsfljsdfjewf.info | udp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 104.21.78.43:443 | hobbyedsmoker.live | tcp |
| US | 104.21.78.43:443 | hobbyedsmoker.live | tcp |
| US | 104.21.78.43:443 | hobbyedsmoker.live | tcp |
| US | 150.171.27.10:443 | tcp | |
| US | 150.171.27.10:443 | tcp | |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3504-0-0x0000000001650000-0x0000000001652000-memory.dmp
memory/3504-1-0x00000000031E0000-0x000000000323E000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20241023-en
Max time kernel
144s
Max time network
125s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"
Network
Files
memory/2128-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp
memory/2128-1-0x00000000003D0000-0x000000000042C000-memory.dmp
memory/2128-3-0x0000000074AC0000-0x00000000751AE000-memory.dmp
memory/2128-4-0x0000000074ACE000-0x0000000074ACF000-memory.dmp
memory/2128-5-0x0000000074AC0000-0x00000000751AE000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\UtWxcu4d1U.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3908 set thread context of 3848 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\UtWxcu4d1U.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3908 -ip 3908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 816
C:\Users\Admin\AppData\Roaming\UtWxcu4d1U.exe
"C:\Users\Admin\AppData\Roaming\UtWxcu4d1U.exe"
C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe
"C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.27.9:443 | www.bing.com | tcp |
| RU | 194.87.99.40:80 | 194.87.99.40 | tcp |
| RU | 194.87.99.40:80 | 194.87.99.40 | tcp |
| GB | 37.235.55.68:1987 | tcp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | abolhb.com | udp |
| GB | 185.172.175.125:5050 | abolhb.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| GB | 185.172.175.125:5050 | abolhb.com | tcp |
| GB | 185.172.175.125:5050 | abolhb.com | tcp |
| GB | 185.172.175.125:5050 | abolhb.com | tcp |
| GB | 185.172.175.125:5050 | abolhb.com | tcp |
| RU | 194.87.99.40:80 | 194.87.99.40 | tcp |
Files
memory/3908-0-0x000000007514E000-0x000000007514F000-memory.dmp
memory/3908-1-0x0000000000C80000-0x0000000000E94000-memory.dmp
memory/3908-2-0x0000000005E30000-0x00000000063D4000-memory.dmp
memory/3848-6-0x0000000000400000-0x000000000060C000-memory.dmp
memory/3848-7-0x0000000000400000-0x000000000060C000-memory.dmp
memory/3848-4-0x0000000000400000-0x000000000060C000-memory.dmp
memory/3848-5-0x0000000000400000-0x000000000060C000-memory.dmp
memory/3848-9-0x0000000000400000-0x000000000060C000-memory.dmp
memory/3908-8-0x0000000075140000-0x00000000758F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\UtWxcu4d1U.exe
| MD5 | 8522913829a30ad563871e12fdd07707 |
| SHA1 | 6d4fc1b91909a5b267e4cd4f581068fe77e44e6f |
| SHA256 | dcb40abf5ad8a692a62ac722866eb14664d7951b1fa9498091d46a0af0b6813c |
| SHA512 | 3fe8eb66c3273a743f97293306cf1eaf30264b6fa187af62d6db533335691867eee51a206341c1b97ec6fd59d6d2c99f44e4958e869e98b9f62bc8a56074f80f |
C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe
| MD5 | 4761ea2568c231143ed81463fdf8e01d |
| SHA1 | 6c821733e1487e79499e374b97464de323a9be5c |
| SHA256 | 37f54e6b882a55e2b461807c3d82eef458a92b3a0eb509096777d3a75e074e7e |
| SHA512 | 542dd6e12402f3b0510ee5cd04e1d277177cbce09a532b92714cfa02f5c9dcdbfbfd333b9ca9e5af8e2d697825104178535572c54a44f4084ef50009e7924ea5 |
memory/644-35-0x00000000008B0000-0x00000000008C2000-memory.dmp
memory/3320-36-0x0000000000D00000-0x0000000000ED4000-memory.dmp
memory/3848-34-0x0000000000400000-0x000000000060C000-memory.dmp
memory/3848-31-0x0000000000400000-0x000000000060C000-memory.dmp
memory/644-29-0x00007FFB80A33000-0x00007FFB80A35000-memory.dmp
memory/3320-37-0x00007FFB80A30000-0x00007FFB814F1000-memory.dmp
memory/3320-38-0x00007FFB80A30000-0x00007FFB814F1000-memory.dmp
memory/3320-39-0x00007FFB80A30000-0x00007FFB814F1000-memory.dmp
memory/644-40-0x00007FFB80A30000-0x00007FFB814F1000-memory.dmp
memory/3320-42-0x00000000015E0000-0x00000000015EE000-memory.dmp
memory/3320-44-0x0000000003010000-0x000000000302C000-memory.dmp
memory/3320-45-0x000000001BB60000-0x000000001BB7C000-memory.dmp
memory/3320-46-0x000000001BBD0000-0x000000001BC20000-memory.dmp
memory/3320-48-0x00000000015F0000-0x00000000015FE000-memory.dmp
memory/3320-50-0x0000000003070000-0x000000000307C000-memory.dmp
memory/644-51-0x000000001C790000-0x000000001C79E000-memory.dmp
memory/3320-52-0x00007FFB80A30000-0x00007FFB814F1000-memory.dmp
memory/3320-53-0x00007FFB80A30000-0x00007FFB814F1000-memory.dmp
memory/644-54-0x00007FFB80A30000-0x00007FFB814F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KC2Lq8pBKb
| MD5 | 777045764e460e37b6be974efa507ba8 |
| SHA1 | 0301822aed02f42bee1668be2a58d4e47b1786af |
| SHA256 | e5eff7f20dc1d3b95fa70330e2962c0ce3fce442a928c3090ccb81005457cb0f |
| SHA512 | a7632f0928250ffb6bd52bbbe829042fd5146869da8de7c5879584d2316c43fb6b938cc05941c4969503bfaccdec4474d56a6f7f6a871439019dc387b1ff9209 |
C:\Users\Admin\AppData\Local\Temp\K3D9v5NFpS
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
Analysis: behavioral16
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
136s
Max time network
141s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Reads user/profile data of local email clients
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4060 set thread context of 4340 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4060 -ip 4060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 788
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | paleboreei.biz | udp |
| US | 172.67.181.243:443 | paleboreei.biz | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 172.67.181.243:443 | paleboreei.biz | tcp |
| US | 172.67.181.243:443 | paleboreei.biz | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/4060-0-0x000000007454E000-0x000000007454F000-memory.dmp
memory/4060-1-0x00000000008E0000-0x000000000093C000-memory.dmp
memory/4060-2-0x00000000057B0000-0x0000000005D54000-memory.dmp
memory/4340-4-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4340-6-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4060-7-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/4340-8-0x0000000000400000-0x000000000045E000-memory.dmp
memory/4340-9-0x0000000000400000-0x000000000045E000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Amadey
Amadey family
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\gdcrsjl\qxgq.exe | N/A |
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\gdcrsjl\qxgq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\gdcrsjl\qxgq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\ProgramData\gdcrsjl\qxgq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine | C:\ProgramData\gdcrsjl\qxgq.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\ProgramData\gdcrsjl\qxgq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Gxtuum.job | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\gdcrsjl\qxgq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\ProgramData\gdcrsjl\qxgq.exe | N/A |
| N/A | N/A | C:\ProgramData\gdcrsjl\qxgq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4944 wrote to memory of 4556 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe |
| PID 4944 wrote to memory of 4556 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe |
| PID 4944 wrote to memory of 4556 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe |
| PID 4556 wrote to memory of 3044 | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe |
| PID 4556 wrote to memory of 3044 | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe |
| PID 4556 wrote to memory of 3044 | N/A | C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe | C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe
"C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe"
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\ProgramData\gdcrsjl\qxgq.exe
C:\ProgramData\gdcrsjl\qxgq.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | cobolrationumelawrtewarms.com | udp |
| NL | 107.189.27.66:80 | cobolrationumelawrtewarms.com | tcp |
| DE | 104.194.157.122:80 | 104.194.157.122 | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| DE | 93.186.202.3:4000 | towerbingobongoboom.com | tcp |
| DE | 93.186.202.3:5113 | towerbingobongoboom.com | tcp |
Files
memory/4944-0-0x0000000000FC0000-0x000000000147D000-memory.dmp
memory/4944-1-0x0000000077A34000-0x0000000077A36000-memory.dmp
memory/4944-3-0x0000000000FC0000-0x000000000147D000-memory.dmp
memory/4944-2-0x0000000000FC1000-0x0000000000FEF000-memory.dmp
memory/4944-4-0x0000000000FC0000-0x000000000147D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
| MD5 | e3db5749715032f09380e2b83170df85 |
| SHA1 | 5eba9270b0a48ffda040d10e08aef49acbb4452d |
| SHA256 | 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe |
| SHA512 | 682cd0e0a9c915b6c7b0b95186c18536167059920abe8afd92efa7259f6a5d918a4e7a7da7c32f44bc62e6d16fd8988ea046a21429b83bbe37457fdf3e77e199 |
memory/4556-18-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4944-17-0x0000000000FC0000-0x000000000147D000-memory.dmp
memory/4556-19-0x0000000000291000-0x00000000002BF000-memory.dmp
memory/4556-20-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4556-22-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4556-21-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4416-24-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4416-25-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4416-26-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4416-27-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4416-28-0x0000000000291000-0x00000000002BF000-memory.dmp
memory/4556-29-0x0000000000290000-0x000000000074D000-memory.dmp
C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe
| MD5 | 22b7fa9d7ece61a0e0a7a0e9b130e311 |
| SHA1 | 00329bc46fab8e69da98e11894e7249fc4b5199f |
| SHA256 | 0acada86bfe4cbdc97544e147207bcee377948415acb32223fe6a69716591c8f |
| SHA512 | cbc289aaf8a12863fc5d27443daea89e90045805b110eb2a4eabbfa2afb185651355dcffcb9a8188801786e2a07aa7198d31aba8d3bc4c2f8bcfea66033260b9 |
memory/4556-44-0x0000000000290000-0x000000000074D000-memory.dmp
memory/3044-45-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4556-48-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4556-49-0x0000000000290000-0x000000000074D000-memory.dmp
memory/3044-50-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4556-51-0x0000000000290000-0x000000000074D000-memory.dmp
memory/3044-52-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4556-53-0x0000000000290000-0x000000000074D000-memory.dmp
memory/3044-54-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4556-55-0x0000000000290000-0x000000000074D000-memory.dmp
memory/3044-56-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4556-57-0x0000000000290000-0x000000000074D000-memory.dmp
memory/3044-58-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4556-59-0x0000000000290000-0x000000000074D000-memory.dmp
memory/996-61-0x0000000000290000-0x000000000074D000-memory.dmp
memory/996-62-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4284-64-0x0000000000400000-0x0000000000846000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | 490f36a0f5f29d2bd5b8e1d049106215 |
| SHA1 | 7c5ebdb04d4a4fef2dae3f6060588814adf0fc55 |
| SHA256 | 5b8cc019298d83d54dfd2985140dae75571ff3044a8d44121b280e44222e7771 |
| SHA512 | 01ff641a692c7ba61bd463e2829b9f2b5c1668d3ca8a8c68236e8d50026e22075e9c59cdfd6aff0f93abfc82738a24b48378def1ffd5ab8f6614ea8dcd5a526e |
memory/3044-67-0x0000000000400000-0x0000000000846000-memory.dmp
memory/3044-68-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4556-69-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4284-70-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4556-71-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4284-72-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4556-73-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4284-74-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4556-75-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4284-76-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4556-77-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4284-78-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4556-79-0x0000000000290000-0x000000000074D000-memory.dmp
memory/1772-81-0x0000000000290000-0x000000000074D000-memory.dmp
memory/1772-83-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4284-84-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4556-85-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4284-86-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4556-87-0x0000000000290000-0x000000000074D000-memory.dmp
memory/4284-88-0x0000000000400000-0x0000000000846000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3196 set thread context of 3728 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133849959703902055" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3196 -ip 3196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 816
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc1210cc40,0x7ffc1210cc4c,0x7ffc1210cc58
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2016 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2064 /prefetch:3
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1916,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1932 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3184 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3352 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4524 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4268,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4544 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4780 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4816 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5032,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4772 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc121146f8,0x7ffc12114708,0x7ffc12114718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,364002511346551316,13148270459247627470,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,364002511346551316,13148270459247627470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,364002511346551316,13148270459247627470,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2084,364002511346551316,13148270459247627470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2084,364002511346551316,13148270459247627470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2084,364002511346551316,13148270459247627470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2084,364002511346551316,13148270459247627470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\cbsjw" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 11
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | d.4ttechnology.com | udp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| US | 8.8.8.8:53 | e5.o.lencr.org | udp |
| GB | 2.23.210.82:80 | e5.o.lencr.org | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| NL | 142.251.36.46:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 172.217.168.196:443 | www.google.com | udp |
| NL | 172.217.168.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| NL | 216.58.214.10:443 | ogads-pa.googleapis.com | udp |
| NL | 172.217.168.206:443 | apis.google.com | udp |
| NL | 216.58.214.10:443 | ogads-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:9223 | tcp | |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 13.89.179.12:443 | nw-umwatson.events.data.microsoft.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
| DE | 116.203.10.65:443 | d.4ttechnology.com | tcp |
Files
memory/3196-0-0x00000000744FE000-0x00000000744FF000-memory.dmp
memory/3196-1-0x0000000000E40000-0x0000000000E6C000-memory.dmp
memory/3196-2-0x0000000005CE0000-0x0000000006284000-memory.dmp
memory/3728-4-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-6-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3196-7-0x00000000744F0000-0x0000000074CA0000-memory.dmp
memory/3728-8-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-16-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-21-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-22-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-25-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-29-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-30-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-34-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-35-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-36-0x0000000000400000-0x0000000000429000-memory.dmp
\??\pipe\crashpad_844_WTVQKYFDWLVQUQWK
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
memory/3728-71-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
| MD5 | 47a1175ace396690874c083b24db5969 |
| SHA1 | dbd4bba11202a089b9624aa24a51b06f8d7d0a70 |
| SHA256 | f6ad7e8441b382372083e2a6c9169ee01ffbfe4cd5a081c74f2916d26322c8f5 |
| SHA512 | 83874d49b54f7aed99f10b1ab152d0e8313f03cc7a16646f06ccc6162732e9096cd1dcf13e69a940b4c91bb50e91b09fbfccd62042939456b80465d0b211359f |
memory/3728-80-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-81-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-82-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-83-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f09c5037ff47e75546f2997642cac037 |
| SHA1 | 63d599921be61b598ef4605a837bb8422222bef2 |
| SHA256 | ba61197fff5ed487084790b869045ab41830bdf6db815503e8e064dd4e4df662 |
| SHA512 | 280bff6eac4b2b4fe515696223f61531f6b507c4c863ad9eef5ab0b1d65d264eba74fb7c9314b6920922142b8ab7605792211fca11a9a9ef0fc2ae995bf4f473 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 010f6dd77f14afcb78185650052a120d |
| SHA1 | 76139f0141fa930b6460f3ca6f00671b4627dc98 |
| SHA256 | 80321891fd7f7c02dd4be4e5be09f8e57d49e076c750f8deb300be8f600de2d7 |
| SHA512 | 6e6c9e348e948b946cfb97478698423e1272c4417bc8540e5daa64858e28be8fda5baf28538aee849f8bb409c17a51c60e48a3f1793e3a86cb27edeb32aa30a5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\13a3abfb-46ea-4ae5-bbf3-1b5a60521241.tmp
| MD5 | 86403f46ebf73a60f18c324fc9c524ec |
| SHA1 | f971708e838b0df878bffc8cf38b63207904ab5d |
| SHA256 | d840aacbe986a0164c321b39e63718f92329b0114eb366f4e3395a68eff3c573 |
| SHA512 | 93abaa3daca3e84c323e4a916e998c86a397d15cf4aff54726f98d88652dbae962a07c852ea72d2740b441f421f37d6df64f53eb6761501ed7d51d78f4f53e20 |
memory/3728-114-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-115-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-118-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-119-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-123-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-124-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-128-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-129-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-133-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-136-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-137-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-138-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-142-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-143-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-149-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-150-0x0000000000400000-0x0000000000429000-memory.dmp
memory/3728-151-0x0000000000400000-0x0000000000429000-memory.dmp
C:\ProgramData\cbsjw\srq9hl
| MD5 | 3919fa77c6b2c8f967912d0cf26a4d95 |
| SHA1 | 15d4474682bc23a090b8c842a6f715073dd8d00f |
| SHA256 | 05a5c959c38e6370bcc6cadf517209e4d9ea93d3216633568a60ead6fe96e9a7 |
| SHA512 | 9b4c9a7bdfee674631df1095490afb5ab159ebd2dd8afe5a77afadf250355e785cdc091c6108d9fba0e280f305d0a8acfb557d91d60e21057316de40aca550f3 |
memory/3728-154-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
92s
Max time network
142s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\nahprot.bat" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\Admin\AppData\Roaming\nahprot.bat' -ArgumentList 'gOsYxjsoymkBmrzpQYy' -WindowStyle Hidden"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\nahprot.bat" gOsYxjsoymkBmrzpQYy "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"
C:\Windows\system32\findstr.exe
"C:\Windows\system32\findstr.exe" /i WDS100T2B0A
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1212-0-0x00007FFFADEF3000-0x00007FFFADEF5000-memory.dmp
memory/1212-1-0x0000000000FE0000-0x0000000001A0E000-memory.dmp
C:\Users\Admin\AppData\Roaming\nahprot.bat
| MD5 | 4eb348c6ecbb8c6e4c5543fc254ce626 |
| SHA1 | f24923fcd2bb9148270e08622fa6c1079aa81fe1 |
| SHA256 | f1a5969e8b42932f80dc6e74d3301f120cba27a0b27ba2c92ebef7539a89e633 |
| SHA512 | 69b48d17bd205092d3cf3c856ce3920b922f2b701294299b9097613b74acce3d8b866f96557ba532b973f6b321b1705251feb9f85af2edf54aa75c032fae878f |
memory/3904-13-0x000002871D800000-0x000002871D822000-memory.dmp
memory/3904-17-0x00007FFFADB70000-0x00007FFFAE631000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l141uqv2.eas.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3904-18-0x00007FFFADB70000-0x00007FFFAE631000-memory.dmp
memory/3904-19-0x00007FFFADB70000-0x00007FFFAE631000-memory.dmp
memory/3904-22-0x00007FFFADB70000-0x00007FFFAE631000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8b9a260789a22d72263ef3bb119108c |
| SHA1 | 376a9bd48726f422679f2cd65003442c0b6f6dd5 |
| SHA256 | d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc |
| SHA512 | 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b |
Analysis: behavioral5
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20240729-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of local email clients
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1740 set thread context of 2460 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 500
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pirtyoffensiz.bet | udp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 172.67.216.4:443 | hobbyedsmoker.live | tcp |
| US | 172.67.216.4:443 | hobbyedsmoker.live | tcp |
| US | 172.67.216.4:443 | hobbyedsmoker.live | tcp |
Files
memory/1740-0-0x000000007468E000-0x000000007468F000-memory.dmp
memory/1740-1-0x00000000011E0000-0x00000000012B6000-memory.dmp
memory/1740-2-0x0000000074680000-0x0000000074D6E000-memory.dmp
memory/2460-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2460-19-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1740-18-0x0000000074680000-0x0000000074D6E000-memory.dmp
memory/2460-17-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2460-15-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2460-12-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2460-10-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2460-8-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2460-6-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2460-4-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2460-20-0x0000000000400000-0x000000000045E000-memory.dmp
memory/1740-21-0x0000000074680000-0x0000000074D6E000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20240903-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI7B0D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7BCA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7C57.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f777a03.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7DCE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f777a03.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f777a00.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f777a00.msi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2688 wrote to memory of 2900 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2688 wrote to memory of 2900 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2688 wrote to memory of 2900 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2688 wrote to memory of 2900 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2688 wrote to memory of 2900 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2688 wrote to memory of 2900 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2688 wrote to memory of 2900 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\quarantine\DeX17Gw.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005CC" "000000000000005C"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 85A4A1DF0027295303D0DBA74224C47D
C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe
"C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\Cab7A8D.tmp
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar7AED.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
\Windows\Installer\MSI7B0D.tmp
| MD5 | fbc6ccca9154d017d647938190e4ad8d |
| SHA1 | e753f1511f27427616e98762ba2f45d67c3d90d4 |
| SHA256 | d0c9f193d5fb108035c24cd16495d8471295c8ae4a507cc939dcd3c31ed70836 |
| SHA512 | d72a7b6be718e09b0b6b2a6c32888fb29bbe34d34d1965cce017162224db20d4badaae507244e16e7a72b84a15139fc9cb6ea703925666906f73420684e0d49d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9d4eac348875fc86de13e9f97cc5fefb |
| SHA1 | 3f161725b3319903ebe43f2d9237cbb011c28971 |
| SHA256 | fcf62c342a146c5c05b466b90b55805ef82a6acdb865ee1766bf153991b5c251 |
| SHA512 | 8f39cc2a3f0fee1138e5120a377b113a4ad05602500f3efabf021319d162f7acc679c16ddec9e5571a9efa785efd7939fcc229d04742e33a7c1bb6ac0baa81a7 |
C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe
| MD5 | 83d265901f1be93c303b7b8741fd7152 |
| SHA1 | f67cdd4dac204e1312c194172807cbf01d1533a2 |
| SHA256 | 4f16406f50cbe21dca89bdfefe2f37277e87991adf21afca6c5a7e707eb8fdcf |
| SHA512 | edab01a53fe3f120333c6884f01ae6427aa4b5e9a7af44260a3c52f6ce49bf73641299cecde423554983218314e4bd412b55dfc0812f694aa0dc91fc34999d77 |
C:\Config.Msi\f777a04.rbs
| MD5 | 38b348ef6f0f8f403cd991f3e733ecd9 |
| SHA1 | c3c5545b77a979f9d4601a0369650f063c7600a0 |
| SHA256 | fac4a65e74fcf805c07181198442eb9aea50da272e749209acdd49466b46c762 |
| SHA512 | a7fb7e1a77888cbd4acb5fac6b7a0a6d502dd4323580011224a34c62eda8928971a6fd8a0ac14244160b8a856bfd48ac5b14e8f82a509f7821cd44d054dc270d |
Analysis: behavioral10
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
145s
Max time network
146s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{55F95064-5419-481D-8C36-B97E94F0FDB0} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB73E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57b40e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57b40e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB4B9.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5D4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB652.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB662.tmp | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe | N/A |
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000af481e24cb2ccf490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000af481e240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900af481e24000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1daf481e24000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000af481e2400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\quarantine\DeX17Gw.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F5258B7A8F25D512209756B5E488D032
C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe
"C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Windows\Installer\MSIB4B9.tmp
| MD5 | fbc6ccca9154d017d647938190e4ad8d |
| SHA1 | e753f1511f27427616e98762ba2f45d67c3d90d4 |
| SHA256 | d0c9f193d5fb108035c24cd16495d8471295c8ae4a507cc939dcd3c31ed70836 |
| SHA512 | d72a7b6be718e09b0b6b2a6c32888fb29bbe34d34d1965cce017162224db20d4badaae507244e16e7a72b84a15139fc9cb6ea703925666906f73420684e0d49d |
\??\Volume{241e48af-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ec428f4a-0ca4-4e1c-8106-2c037f1fbcdd}_OnDiskSnapshotProp
| MD5 | d60bf153f50b4a33a1522d7ae5ecf38c |
| SHA1 | 0ac489cfd61a32981b28ca3808310e290db8e063 |
| SHA256 | 30568b29697d37a6824492864eaa08da9719088d26b9b026a5c625950ec99465 |
| SHA512 | 1d1bbd4cbd1c9bafc548e425c756f375aad69b0230f56905e439ffe5b00fe96e55befe0eec52e6bfebc8c5b2c15c01e6e25cfdfdba48b3ee408572fe63d2d895 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | b0d48e474c35658999a0685f2d754b84 |
| SHA1 | dfd80ebe2f732c4aea40dafe72d4e4743aa9f9ce |
| SHA256 | b93bfccfeeb6e64bc702ec5ba8819628d4c37ba0ed96abf5be4a62822187f32e |
| SHA512 | dc0d5fa67ee32751047cfde9bdf3f7ec454bb69b557cb8a0bf5a753a6ee5aa3e22dca2ba9742aebfdefe762457bda4cc91b81a4b697c1dfad9aebba09058bf5c |
C:\Config.Msi\e57b411.rbs
| MD5 | e468200c883e319a847ab333976a66c0 |
| SHA1 | c75199efba67c2599892421551c38c6e5803549c |
| SHA256 | b5f73cbaf8b284530c4b98c1ba0f17d7c9127c97be515b910ccab1205e9da04c |
| SHA512 | 3850f0d35b298a4fc9f4a122d8bc6d130f79abaa3795f54eb19b6505ec06626e2e003193e07f1fa01ddb3ce6cfbdc89416e0ada4aa9e958540d34cc35e1c868b |
C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe
| MD5 | 83d265901f1be93c303b7b8741fd7152 |
| SHA1 | f67cdd4dac204e1312c194172807cbf01d1533a2 |
| SHA256 | 4f16406f50cbe21dca89bdfefe2f37277e87991adf21afca6c5a7e707eb8fdcf |
| SHA512 | edab01a53fe3f120333c6884f01ae6427aa4b5e9a7af44260a3c52f6ce49bf73641299cecde423554983218314e4bd412b55dfc0812f694aa0dc91fc34999d77 |
C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\dhcpcsvc.DLL
| MD5 | 1689d3fbe3ed4bcb9074ae6082b5152d |
| SHA1 | 4f74fd2cbe57244a34b39faacc4aad587059b31e |
| SHA256 | d955d0a255078fed07efd6ea5433c01ad966c77991a765aa8d202010879134c6 |
| SHA512 | c3c382a665cae7c3da068081550855f6018713c944073e430565c25c953ae0f71829025e72b27f2798e04416c3651daea573e147a773cf2b8e016dd4cd6cf585 |
memory/2220-139-0x0000000002320000-0x000000000292B000-memory.dmp
memory/2220-141-0x0000000003960000-0x0000000003F6B000-memory.dmp
memory/2220-140-0x0000000003960000-0x0000000003F6B000-memory.dmp
memory/2220-142-0x0000000074780000-0x00000000756B9000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20240903-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
Reads user/profile data of local email clients
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | embarkiffe.shop | udp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 104.21.78.43:443 | hobbyedsmoker.live | tcp |
| US | 104.21.78.43:443 | hobbyedsmoker.live | tcp |
| US | 104.21.78.43:443 | hobbyedsmoker.live | tcp |
Files
memory/2380-0-0x0000000001240000-0x0000000001549000-memory.dmp
memory/2380-1-0x0000000077370000-0x0000000077372000-memory.dmp
memory/2380-2-0x0000000001241000-0x000000000126B000-memory.dmp
memory/2380-3-0x0000000001240000-0x0000000001549000-memory.dmp
memory/2380-4-0x0000000001240000-0x0000000001549000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
104s
Max time network
156s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\rA6Gys9.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\rA6Gys9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/212-0-0x0000000000B00000-0x0000000000D25000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20250207-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Cv5YtUn.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\Cv5YtUn.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Cv5YtUn.exe"
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20240903-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\bvts\vsqo.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\bvts\vsqo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\bvts\vsqo.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\bvts\vsqo.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine | C:\ProgramData\bvts\vsqo.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
| N/A | N/A | C:\ProgramData\bvts\vsqo.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\bvts\vsqo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
| N/A | N/A | C:\ProgramData\bvts\vsqo.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2624 wrote to memory of 2572 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\bvts\vsqo.exe |
| PID 2624 wrote to memory of 2572 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\bvts\vsqo.exe |
| PID 2624 wrote to memory of 2572 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\bvts\vsqo.exe |
| PID 2624 wrote to memory of 2572 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\bvts\vsqo.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {786B5192-4D60-4AF8-9257-2A1E8B4E4A68} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
C:\ProgramData\bvts\vsqo.exe
C:\ProgramData\bvts\vsqo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| DE | 93.186.202.3:4000 | towerbingobongoboom.com | tcp |
| DE | 93.186.202.3:5110 | towerbingobongoboom.com | tcp |
Files
memory/2244-0-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2244-1-0x00000000777D0000-0x00000000777D2000-memory.dmp
memory/2244-2-0x0000000000401000-0x0000000000403000-memory.dmp
memory/2244-4-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2244-6-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2244-7-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2244-8-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2244-9-0x0000000000400000-0x0000000000846000-memory.dmp
C:\ProgramData\bvts\vsqo.exe
| MD5 | 77c6d4944106ec80bb717043741b57da |
| SHA1 | aa1550acb66847744e99ee1181d8a7c9035f1339 |
| SHA256 | 686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80 |
| SHA512 | b2d7b47a95dafb732d65b7af2131ceb0b60c950c29697f4c07ff21381599558990fa03a9b8fc7dfe1d96787f6adce90b4b916c71cf2f4f32c4b070aae7fcd16a |
memory/2572-12-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-13-0x0000000000400000-0x0000000000846000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | d7378aeab567869510665c70d9f74917 |
| SHA1 | 42642dd5f115e6885b0a9a1fe38bbf6814dad254 |
| SHA256 | 3d613854f3db162dea3df4007b240f5b69874222d62ba38f96e98736a44f4adb |
| SHA512 | adba346eb9f275300cc33d0a76a04314da25cb1bef726786b74f94a0c74c7ebf05e8f922d93192486811a1d8e67db88d703093d01d48ecec4e4ac503561e6f12 |
memory/2572-15-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-16-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-17-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2244-18-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-19-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-20-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2244-21-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-22-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2244-23-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-24-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2244-25-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-26-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2244-27-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-29-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-31-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-32-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-33-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-34-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-35-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-36-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-37-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-38-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2572-39-0x0000000000400000-0x0000000000846000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20241010-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Vidar family
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2848 set thread context of 1372 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 508
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6589758,0x7fef6589768,0x7fef6589778
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2312 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2340 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1388 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1316 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3488 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3724 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\2ngdj" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 11
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.123.95.227:443 | steamcommunity.com | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 172.217.168.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| NL | 216.58.208.106:443 | ogads-pa.googleapis.com | tcp |
| NL | 172.217.168.206:443 | apis.google.com | tcp |
| NL | 216.58.208.106:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| N/A | 127.0.0.1:9223 | tcp | |
| N/A | 127.0.0.1:9223 | tcp | |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
| DE | 159.69.100.232:443 | 159.69.100.232 | tcp |
Files
memory/2848-0-0x0000000073EFE000-0x0000000073EFF000-memory.dmp
memory/2848-1-0x00000000001C0000-0x00000000001EC000-memory.dmp
memory/1372-10-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-13-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1372-9-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-7-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-8-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-6-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-5-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-15-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-4-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-3-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2848-16-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/1372-17-0x0000000000400000-0x0000000000429000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar7F26.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fbbbd8aee2a291de2aca7e2b83dc4300 |
| SHA1 | dd8a76a186a8218d6be14c2115e0399e0fc029a7 |
| SHA256 | eb634e1b1642bb87f72ca27ffe19565a6640d758eeeb0576135933f9bdb28d5c |
| SHA512 | f2cd4b8363840b95c564b22eb2dd0fa1a073811a68d9fac74d9ff1be6c9aaaef250adbb921f1fab0a252842e59527a4ef09bd611348e507254583f2a1b28fea2 |
memory/1372-165-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-186-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-191-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-212-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-215-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2848-216-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/1372-240-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-264-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-265-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-266-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-291-0x0000000000400000-0x0000000000429000-memory.dmp
\??\pipe\crashpad_1508_JCTSRLKFSRCWNWGA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/1372-362-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-365-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-408-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-409-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-431-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-452-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-493-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-514-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-515-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1372-578-0x0000000000400000-0x0000000000429000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\rA6Gys9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\rA6Gys9.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\rA6Gys9.exe"
Network
Files
memory/808-0-0x0000000000260000-0x0000000000485000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20240903-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Xworm
Xworm family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\iWCLKpajPR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2980 set thread context of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe |
Browser Information Discovery
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\iWCLKpajPR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe"
C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 524
C:\Users\Admin\AppData\Roaming\iWCLKpajPR.exe
"C:\Users\Admin\AppData\Roaming\iWCLKpajPR.exe"
C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe
"C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe"
Network
| Country | Destination | Domain | Proto |
| GB | 37.235.55.68:1987 | tcp | |
| RU | 194.87.99.40:80 | 194.87.99.40 | tcp |
| RU | 194.87.99.40:80 | 194.87.99.40 | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| RU | 194.87.99.40:80 | 194.87.99.40 | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
Files
memory/2980-0-0x0000000073F1E000-0x0000000073F1F000-memory.dmp
memory/2980-1-0x00000000012F0000-0x0000000001504000-memory.dmp
memory/2652-3-0x0000000000400000-0x000000000060C000-memory.dmp
memory/2652-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2652-8-0x0000000000400000-0x000000000060C000-memory.dmp
memory/2652-16-0x0000000000400000-0x000000000060C000-memory.dmp
memory/2652-7-0x0000000000400000-0x000000000060C000-memory.dmp
memory/2652-6-0x0000000000400000-0x000000000060C000-memory.dmp
memory/2652-5-0x0000000000400000-0x000000000060C000-memory.dmp
memory/2980-15-0x0000000073F10000-0x00000000745FE000-memory.dmp
memory/2652-14-0x0000000000400000-0x000000000060C000-memory.dmp
memory/2652-13-0x0000000000400000-0x000000000060C000-memory.dmp
memory/2652-12-0x0000000000400000-0x000000000060C000-memory.dmp
memory/2652-4-0x0000000000400000-0x000000000060C000-memory.dmp
\Users\Admin\AppData\Roaming\iWCLKpajPR.exe
| MD5 | 8522913829a30ad563871e12fdd07707 |
| SHA1 | 6d4fc1b91909a5b267e4cd4f581068fe77e44e6f |
| SHA256 | dcb40abf5ad8a692a62ac722866eb14664d7951b1fa9498091d46a0af0b6813c |
| SHA512 | 3fe8eb66c3273a743f97293306cf1eaf30264b6fa187af62d6db533335691867eee51a206341c1b97ec6fd59d6d2c99f44e4958e869e98b9f62bc8a56074f80f |
memory/2652-33-0x0000000000400000-0x000000000060C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe
| MD5 | 4761ea2568c231143ed81463fdf8e01d |
| SHA1 | 6c821733e1487e79499e374b97464de323a9be5c |
| SHA256 | 37f54e6b882a55e2b461807c3d82eef458a92b3a0eb509096777d3a75e074e7e |
| SHA512 | 542dd6e12402f3b0510ee5cd04e1d277177cbce09a532b92714cfa02f5c9dcdbfbfd333b9ca9e5af8e2d697825104178535572c54a44f4084ef50009e7924ea5 |
memory/2652-31-0x0000000000400000-0x000000000060C000-memory.dmp
memory/2784-34-0x0000000000BC0000-0x0000000000BD2000-memory.dmp
memory/2608-35-0x00000000011B0000-0x0000000001384000-memory.dmp
memory/2608-37-0x0000000000410000-0x000000000041E000-memory.dmp
memory/2608-42-0x0000000000420000-0x000000000042E000-memory.dmp
memory/2608-44-0x0000000000460000-0x000000000046C000-memory.dmp
memory/2608-40-0x0000000000440000-0x000000000045C000-memory.dmp
memory/2608-39-0x0000000000460000-0x000000000047C000-memory.dmp
memory/2980-45-0x0000000073F10000-0x00000000745FE000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 83142242e97b8953c386f988aa694e4a |
| SHA1 | 833ed12fc15b356136dcdd27c61a50f59c5c7d50 |
| SHA256 | d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755 |
| SHA512 | bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10 |
C:\Users\Admin\AppData\Local\Temp\Tar26F8.tmp
| MD5 | 109cab5505f5e065b63d01361467a83b |
| SHA1 | 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc |
| SHA256 | ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673 |
| SHA512 | 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc |
C:\Users\Admin\AppData\Local\Temp\qOHqs19ozf
| MD5 | ae2cd96016ba8a9d0c675d9d9badbee7 |
| SHA1 | fd9df8750aacb0e75b2463c285c09f3bbd518a69 |
| SHA256 | dd0ea2f02d850df691183602f62284445e4871e26a61d9ea72ff1c23c0b0ba04 |
| SHA512 | 7e0e86980b7f928ea847a097545fa07b0c554617768760d4db9afe448568b97d1536a824b7a1b6c1f3fb1bf14153be07ef32676f878fb63a167d47e3136b5d1d |
Analysis: behavioral21
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20240903-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1992 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1992 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1992 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1992 wrote to memory of 2976 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 856
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dsfljsdfjewf.info | udp |
| US | 8.8.8.8:53 | uncertainyelemz.bet | udp |
| US | 8.8.8.8:53 | hobbyedsmoker.live | udp |
| US | 172.67.216.4:443 | hobbyedsmoker.live | tcp |
Files
memory/1992-1-0x00000000000F0000-0x000000000014E000-memory.dmp
memory/1992-0-0x0000000000F00000-0x0000000000F02000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win10v2004-20250217-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\jsat\ucjskcd.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\jsat\ucjskcd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\jsat\ucjskcd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\jsat\ucjskcd.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine | C:\ProgramData\jsat\ucjskcd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
| N/A | N/A | C:\ProgramData\jsat\ucjskcd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\jsat\ucjskcd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe | N/A |
| N/A | N/A | C:\ProgramData\jsat\ucjskcd.exe | N/A |
| N/A | N/A | C:\ProgramData\jsat\ucjskcd.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe"
C:\ProgramData\jsat\ucjskcd.exe
C:\ProgramData\jsat\ucjskcd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| DE | 93.186.202.3:4000 | towerbingobongoboom.com | tcp |
| DE | 93.186.202.3:5112 | towerbingobongoboom.com | tcp |
Files
memory/4956-0-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4956-1-0x0000000077D34000-0x0000000077D36000-memory.dmp
memory/4956-3-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4956-2-0x0000000000401000-0x0000000000403000-memory.dmp
memory/4956-6-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4956-7-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4956-8-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4956-9-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4956-10-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4956-11-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4956-12-0x0000000000400000-0x0000000000846000-memory.dmp
C:\ProgramData\jsat\ucjskcd.exe
| MD5 | 77c6d4944106ec80bb717043741b57da |
| SHA1 | aa1550acb66847744e99ee1181d8a7c9035f1339 |
| SHA256 | 686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80 |
| SHA512 | b2d7b47a95dafb732d65b7af2131ceb0b60c950c29697f4c07ff21381599558990fa03a9b8fc7dfe1d96787f6adce90b4b916c71cf2f4f32c4b070aae7fcd16a |
memory/4680-15-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4680-16-0x0000000000400000-0x0000000000846000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | f428af2c82d982ba35a8155a1542a94e |
| SHA1 | 66e829251e65ffadb159ce67b7255db97bda306b |
| SHA256 | 827a3199ac9ec51fade8ee872cfd5a529716de8257b523da89596b147ab878ff |
| SHA512 | 9e8482e22904050344b577a3620534aaba73a1d7b9f8d7f3a5cfbbd60d203f64ec883c50fe1c26c24a02780bab4eff8f571e28b15f48c820a721225f3aeed86a |
memory/4680-18-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4956-19-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4680-21-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4680-22-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4680-23-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4680-24-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4680-25-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4680-26-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4680-27-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4680-28-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4680-29-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4680-30-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4680-31-0x0000000000400000-0x0000000000846000-memory.dmp
memory/4680-32-0x0000000000400000-0x0000000000846000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2025-02-25 22:21
Reported
2025-02-25 22:28
Platform
win7-20250207-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\baabdababbec = "\"C:\\ProgramData\\baabdababbec.exe\"" | C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2096 wrote to memory of 1216 | N/A | C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe | C:\Windows\Explorer.EXE |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe"
Network
Files
memory/2096-0-0x000000013F7F0000-0x000000013F88F000-memory.dmp
memory/1216-1-0x0000000004D60000-0x0000000004E05000-memory.dmp
memory/1216-2-0x0000000004D60000-0x0000000004E05000-memory.dmp
memory/1216-7-0x0000000004D60000-0x0000000004E05000-memory.dmp
memory/2096-6-0x000000013F7F0000-0x000000013F88F000-memory.dmp