Malware Analysis Report

2025-04-03 09:14

Sample ID 250225-19r79a1jy2
Target quarantine.7z
SHA256 cc95c0db419de3ca25709f4c1abc74ebdb72947b1d4d7e35b4ab6c36ffdee484
Tags
persistence discovery spyware stealer lumma defense_evasion 092155 amadey execution xworm rat trojan systembc a4d2cd vidar ir7am credential_access privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc95c0db419de3ca25709f4c1abc74ebdb72947b1d4d7e35b4ab6c36ffdee484

Threat Level: Known bad

The file quarantine.7z was found to be: Known bad.

Malicious Activity Summary

persistence discovery spyware stealer lumma defense_evasion 092155 amadey execution xworm rat trojan systembc a4d2cd vidar ir7am credential_access privilege_escalation

Amadey

Amadey family

Xworm

Detect Xworm Payload

Systembc family

Lumma Stealer, LummaC

Xworm family

SystemBC

Vidar family

Lumma family

Vidar

Detect Vidar Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Uses browser remote debugging

Downloads MZ/PE file

Reads user/profile data of local email clients

Checks computer location settings

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Unsecured Credentials: Credentials In Files

Reads user/profile data of web browsers

Loads dropped DLL

Reads data files stored by FTP clients

.NET Reactor proctector

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Blocklisted process makes network request

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

AutoIT Executable

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Program crash

System Location Discovery: System Language Discovery

Browser Information Discovery

Event Triggered Execution: Installer Packages

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Gathers network information

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Delays execution with timeout.exe

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-25 22:21

Signatures

Amadey family

amadey

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral28

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

131s

Max time network

149s

Command Line

C:\Windows\Explorer.EXE

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ddcedbbabcc = "\"C:\\ProgramData\\ddcedbbabcc.exe\"" C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3612 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3612-0-0x00007FF76BFF0000-0x00007FF76C08F000-memory.dmp

memory/3568-2-0x0000000002B50000-0x0000000002BF5000-memory.dmp

memory/3568-1-0x0000000002B50000-0x0000000002BF5000-memory.dmp

memory/3612-5-0x00007FF76BFF0000-0x00007FF76C08F000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

126s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

Signatures

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4588 set thread context of 2528 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4588 -ip 4588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 788

Network

Country Destination Domain Proto
US 8.8.8.8:53 presentymusse.world udp
US 172.67.169.190:443 presentymusse.world tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 172.67.169.190:443 presentymusse.world tcp
US 172.67.169.190:443 presentymusse.world tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4588-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

memory/4588-1-0x0000000000870000-0x00000000008CC000-memory.dmp

memory/4588-2-0x0000000005670000-0x0000000005C14000-memory.dmp

memory/2528-4-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2528-6-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4588-7-0x0000000074CC0000-0x0000000075470000-memory.dmp

memory/2528-8-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2528-9-0x0000000000400000-0x000000000045E000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

135s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe"

Signatures

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4940 set thread context of 1368 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 800

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 pirtyoffensiz.bet udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 172.67.216.4:443 hobbyedsmoker.live tcp
US 172.67.216.4:443 hobbyedsmoker.live tcp
US 172.67.216.4:443 hobbyedsmoker.live tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/4940-0-0x0000000074EFE000-0x0000000074EFF000-memory.dmp

memory/4940-1-0x0000000000B10000-0x0000000000BE6000-memory.dmp

memory/4940-2-0x0000000005D00000-0x00000000062A4000-memory.dmp

memory/4940-3-0x0000000074EF0000-0x00000000756A0000-memory.dmp

memory/1368-5-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1368-7-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4940-8-0x0000000074EF0000-0x00000000756A0000-memory.dmp

memory/1368-9-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1368-10-0x0000000000400000-0x000000000045E000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20240903-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2464 set thread context of 2284 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe
PID 2464 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe
PID 2464 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe
PID 2464 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe
PID 2464 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe
PID 2464 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe
PID 2464 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe
PID 2464 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe
PID 2464 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe
PID 2464 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe
PID 2464 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Windows\SysWOW64\WerFault.exe
PID 2464 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Windows\SysWOW64\WerFault.exe
PID 2464 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Windows\SysWOW64\WerFault.exe
PID 2464 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 504

Network

Country Destination Domain Proto
US 8.8.8.8:53 paleboreei.biz udp
US 172.67.181.243:443 paleboreei.biz tcp
US 172.67.181.243:443 paleboreei.biz tcp
US 172.67.181.243:443 paleboreei.biz tcp

Files

memory/2464-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

memory/2464-1-0x0000000000800000-0x000000000085C000-memory.dmp

memory/2284-4-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2284-10-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2284-8-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2284-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2284-7-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2284-6-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2284-5-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2284-3-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2464-13-0x0000000074E90000-0x000000007557E000-memory.dmp

memory/2284-14-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2284-15-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2464-16-0x0000000074E90000-0x000000007557E000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

98s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\Cv5YtUn.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\Cv5YtUn.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Cv5YtUn.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20241023-en

Max time kernel

122s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe N/A

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 104.21.78.43:443 hobbyedsmoker.live tcp
US 104.21.78.43:443 hobbyedsmoker.live tcp
US 104.21.78.43:443 hobbyedsmoker.live tcp

Files

memory/2588-0-0x00000000012A0000-0x00000000015B3000-memory.dmp

memory/2588-1-0x00000000773F0000-0x00000000773F2000-memory.dmp

memory/2588-2-0x00000000012A1000-0x00000000012CB000-memory.dmp

memory/2588-3-0x00000000012A0000-0x00000000015B3000-memory.dmp

memory/2588-4-0x00000000012A0000-0x00000000015B3000-memory.dmp

memory/2588-5-0x00000000012A0000-0x00000000015B3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20241023-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe C:\Windows\system32\cmd.exe
PID 1980 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe C:\Windows\system32\cmd.exe
PID 1980 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe C:\Windows\system32\cmd.exe
PID 2392 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2392 wrote to memory of 1476 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1476 wrote to memory of 1156 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 1156 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 1156 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1156 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1156 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1156 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2260 wrote to memory of 2692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\findstr.exe
PID 2260 wrote to memory of 2692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\findstr.exe
PID 2260 wrote to memory of 2692 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\findstr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\nahprot.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\Admin\AppData\Roaming\nahprot.bat' -ArgumentList 'gOsYxjsoymkBmrzpQYy' -WindowStyle Hidden"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\nahprot.bat" gOsYxjsoymkBmrzpQYy "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"

C:\Windows\system32\findstr.exe

"C:\Windows\system32\findstr.exe" /i WDS100T2B0A

Network

N/A

Files

memory/1980-0-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

memory/1980-1-0x0000000000A40000-0x000000000146E000-memory.dmp

C:\Users\Admin\AppData\Roaming\nahprot.bat

MD5 4eb348c6ecbb8c6e4c5543fc254ce626
SHA1 f24923fcd2bb9148270e08622fa6c1079aa81fe1
SHA256 f1a5969e8b42932f80dc6e74d3301f120cba27a0b27ba2c92ebef7539a89e633
SHA512 69b48d17bd205092d3cf3c856ce3920b922f2b701294299b9097613b74acce3d8b866f96557ba532b973f6b321b1705251feb9f85af2edf54aa75c032fae878f

memory/1476-15-0x0000000002B60000-0x0000000002BE0000-memory.dmp

memory/1476-16-0x000000001B480000-0x000000001B762000-memory.dmp

memory/1476-17-0x00000000027A0000-0x00000000027A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2a36368aea2f3b873f2c3a920cfbc2c2
SHA1 9ba0a0fac7842eb13fdf1d9bea64625fd7c11446
SHA256 2c45c3e87421f6cac4c487ef7ad12eb8a0fbaf8e049fcf7502ceb8469fc2da7e
SHA512 a9041a20b51a338ad8ece74d1ab691c9f8a94069a8bfac0765979217f5eb36e3b95e34d5a236cdea2de5181c94b8a21a1eaf9225c737206815760e863ed93393

memory/2260-23-0x000000001B570000-0x000000001B852000-memory.dmp

memory/2260-24-0x0000000001F00000-0x0000000001F08000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20241010-en

Max time kernel

121s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 524 set thread context of 2668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 524 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.21:443 bitbucket.org tcp
US 8.8.8.8:53 appengine.google.com udp
TR 94.156.227.220:7000 tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.23.205.233:80 www.microsoft.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.99:80 crl.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar1E80.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

memory/2668-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2668-62-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2668-66-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2668-65-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2668-59-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2668-56-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2668-54-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2668-55-0x0000000000400000-0x000000000043C000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

140s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1596 set thread context of 2804 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\RHPLumH.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 bitbucket.org udp
IE 185.166.142.22:443 bitbucket.org tcp
US 8.8.8.8:53 appengine.google.com udp
TR 94.156.227.220:7000 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2804-6-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2804-7-0x0000000073BAE000-0x0000000073BAF000-memory.dmp

memory/2804-8-0x0000000005230000-0x00000000052CC000-memory.dmp

memory/2804-9-0x0000000073BA0000-0x0000000074350000-memory.dmp

memory/2804-10-0x0000000005780000-0x00000000057E6000-memory.dmp

memory/2804-11-0x0000000073BAE000-0x0000000073BAF000-memory.dmp

memory/2804-12-0x0000000073BA0000-0x0000000074350000-memory.dmp

memory/2804-13-0x00000000060B0000-0x0000000006142000-memory.dmp

memory/2804-14-0x0000000006700000-0x0000000006CA4000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

120s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe N/A

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 172.67.216.4:443 tcp
US 172.67.216.4:443 hobbyedsmoker.live tcp
US 172.67.216.4:443 hobbyedsmoker.live tcp
IE 20.223.35.26:443 tcp
IE 20.223.35.26:443 tcp
IE 20.223.35.26:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4256-0-0x0000000000CE0000-0x0000000000FE9000-memory.dmp

memory/4256-1-0x00000000771B4000-0x00000000771B6000-memory.dmp

memory/4256-2-0x0000000000CE1000-0x0000000000D0B000-memory.dmp

memory/4256-3-0x0000000000CE0000-0x0000000000FE9000-memory.dmp

memory/4256-4-0x0000000000CE0000-0x0000000000FE9000-memory.dmp

memory/4256-5-0x0000000000CE0000-0x0000000000FE9000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

139s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe N/A

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\E3WGlpL.exe"

Network

Country Destination Domain Proto
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 decreaserid.world udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 104.21.78.43:443 hobbyedsmoker.live tcp
US 104.21.78.43:443 hobbyedsmoker.live tcp
US 104.21.78.43:443 hobbyedsmoker.live tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1884-0-0x0000000000C40000-0x0000000000F53000-memory.dmp

memory/1884-1-0x0000000077B44000-0x0000000077B46000-memory.dmp

memory/1884-2-0x0000000000C41000-0x0000000000C6B000-memory.dmp

memory/1884-3-0x0000000000C40000-0x0000000000F53000-memory.dmp

memory/1884-4-0x0000000000C40000-0x0000000000F53000-memory.dmp

memory/1884-5-0x0000000000C40000-0x0000000000F53000-memory.dmp

memory/1884-6-0x0000000000C40000-0x0000000000F53000-memory.dmp

memory/1884-7-0x0000000000C40000-0x0000000000F53000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20240729-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\dnao\rbsmife.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\dnao\rbsmife.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\dnao\rbsmife.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\ProgramData\dnao\rbsmife.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe N/A
N/A N/A C:\ProgramData\dnao\rbsmife.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\dnao\rbsmife.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2096 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2096 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2096 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2812 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe
PID 2812 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe
PID 2812 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe
PID 2812 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe
PID 944 wrote to memory of 1984 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\dnao\rbsmife.exe
PID 944 wrote to memory of 1984 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\dnao\rbsmife.exe
PID 944 wrote to memory of 1984 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\dnao\rbsmife.exe
PID 944 wrote to memory of 1984 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\dnao\rbsmife.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe

"C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {3279D3F4-691F-49DA-8C18-18C8B088C80A} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]

C:\ProgramData\dnao\rbsmife.exe

C:\ProgramData\dnao\rbsmife.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp

Files

memory/2096-0-0x0000000000AB0000-0x0000000000F6D000-memory.dmp

memory/2096-1-0x0000000077D40000-0x0000000077D42000-memory.dmp

memory/2096-2-0x0000000000AB1000-0x0000000000ADF000-memory.dmp

memory/2096-3-0x0000000000AB0000-0x0000000000F6D000-memory.dmp

memory/2096-5-0x0000000000AB0000-0x0000000000F6D000-memory.dmp

\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 e3db5749715032f09380e2b83170df85
SHA1 5eba9270b0a48ffda040d10e08aef49acbb4452d
SHA256 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe
SHA512 682cd0e0a9c915b6c7b0b95186c18536167059920abe8afd92efa7259f6a5d918a4e7a7da7c32f44bc62e6d16fd8988ea046a21429b83bbe37457fdf3e77e199

memory/2096-18-0x0000000006C10000-0x00000000070CD000-memory.dmp

memory/2096-20-0x0000000006C10000-0x00000000070CD000-memory.dmp

memory/2812-21-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/2096-17-0x0000000000AB0000-0x0000000000F6D000-memory.dmp

memory/2812-22-0x0000000000EA1000-0x0000000000ECF000-memory.dmp

memory/2812-23-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/2812-26-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/2812-25-0x0000000000EA0000-0x000000000135D000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe

MD5 22b7fa9d7ece61a0e0a7a0e9b130e311
SHA1 00329bc46fab8e69da98e11894e7249fc4b5199f
SHA256 0acada86bfe4cbdc97544e147207bcee377948415acb32223fe6a69716591c8f
SHA512 cbc289aaf8a12863fc5d27443daea89e90045805b110eb2a4eabbfa2afb185651355dcffcb9a8188801786e2a07aa7198d31aba8d3bc4c2f8bcfea66033260b9

memory/2812-42-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/2812-43-0x0000000006E00000-0x0000000007246000-memory.dmp

memory/2044-45-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-44-0x0000000006E00000-0x0000000007246000-memory.dmp

memory/2812-49-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/2812-50-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/2812-51-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/2812-52-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/2812-53-0x0000000006E00000-0x0000000007246000-memory.dmp

memory/2044-56-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-55-0x0000000006E00000-0x0000000007246000-memory.dmp

memory/2044-54-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-57-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/2044-58-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-59-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/2044-60-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-61-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/2044-62-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-63-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/2044-64-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-65-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/1984-68-0x0000000000400000-0x0000000000846000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 900d8ea41149a4bc1d0bc27b8178287c
SHA1 583e385ffa18b2bc1247e82dce18ec48826d7237
SHA256 8c761b26944c1136b004791bc0924f71976a8db069e0caf4c5aee93ad46370c7
SHA512 e5296bea28e9f65dac0dda22c415b64b79b866da928cf3b074d2c44e6dded8764a8ed1909728ad01a09a09b264e16f670588fe8979093339ef501b0def195e68

memory/2044-70-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-71-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/1984-72-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1984-73-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-74-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/1984-75-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-76-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/1984-77-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-78-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/1984-79-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-80-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/1984-81-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-82-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/1984-83-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-84-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/1984-85-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2812-86-0x0000000000EA0000-0x000000000135D000-memory.dmp

memory/1984-87-0x0000000000400000-0x0000000000846000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe"

Signatures

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 104.21.78.43:443 hobbyedsmoker.live tcp
US 104.21.78.43:443 hobbyedsmoker.live tcp
US 104.21.78.43:443 hobbyedsmoker.live tcp
US 150.171.27.10:443 tcp
US 150.171.27.10:443 tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3504-0-0x0000000001650000-0x0000000001652000-memory.dmp

memory/3504-1-0x00000000031E0000-0x000000000323E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20241023-en

Max time kernel

144s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe
PID 2128 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\6NPpGdC.exe"

Network

N/A

Files

memory/2128-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

memory/2128-1-0x00000000003D0000-0x000000000042C000-memory.dmp

memory/2128-3-0x0000000074AC0000-0x00000000751AE000-memory.dmp

memory/2128-4-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

memory/2128-5-0x0000000074AC0000-0x00000000751AE000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\UtWxcu4d1U.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3908 set thread context of 3848 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\UtWxcu4d1U.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3908 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 3908 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 3908 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 3908 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 3908 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 3908 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 3908 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 3908 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 3908 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 3908 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 3848 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Roaming\UtWxcu4d1U.exe
PID 3848 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Roaming\UtWxcu4d1U.exe
PID 3848 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe
PID 3848 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3908 -ip 3908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 816

C:\Users\Admin\AppData\Roaming\UtWxcu4d1U.exe

"C:\Users\Admin\AppData\Roaming\UtWxcu4d1U.exe"

C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe

"C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe"

Network

Country Destination Domain Proto
GB 2.18.27.9:443 www.bing.com tcp
RU 194.87.99.40:80 194.87.99.40 tcp
RU 194.87.99.40:80 194.87.99.40 tcp
GB 37.235.55.68:1987 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 abolhb.com udp
GB 185.172.175.125:5050 abolhb.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
GB 185.172.175.125:5050 abolhb.com tcp
GB 185.172.175.125:5050 abolhb.com tcp
GB 185.172.175.125:5050 abolhb.com tcp
GB 185.172.175.125:5050 abolhb.com tcp
RU 194.87.99.40:80 194.87.99.40 tcp

Files

memory/3908-0-0x000000007514E000-0x000000007514F000-memory.dmp

memory/3908-1-0x0000000000C80000-0x0000000000E94000-memory.dmp

memory/3908-2-0x0000000005E30000-0x00000000063D4000-memory.dmp

memory/3848-6-0x0000000000400000-0x000000000060C000-memory.dmp

memory/3848-7-0x0000000000400000-0x000000000060C000-memory.dmp

memory/3848-4-0x0000000000400000-0x000000000060C000-memory.dmp

memory/3848-5-0x0000000000400000-0x000000000060C000-memory.dmp

memory/3848-9-0x0000000000400000-0x000000000060C000-memory.dmp

memory/3908-8-0x0000000075140000-0x00000000758F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\UtWxcu4d1U.exe

MD5 8522913829a30ad563871e12fdd07707
SHA1 6d4fc1b91909a5b267e4cd4f581068fe77e44e6f
SHA256 dcb40abf5ad8a692a62ac722866eb14664d7951b1fa9498091d46a0af0b6813c
SHA512 3fe8eb66c3273a743f97293306cf1eaf30264b6fa187af62d6db533335691867eee51a206341c1b97ec6fd59d6d2c99f44e4958e869e98b9f62bc8a56074f80f

C:\Users\Admin\AppData\Roaming\2xkIuRioRj.exe

MD5 4761ea2568c231143ed81463fdf8e01d
SHA1 6c821733e1487e79499e374b97464de323a9be5c
SHA256 37f54e6b882a55e2b461807c3d82eef458a92b3a0eb509096777d3a75e074e7e
SHA512 542dd6e12402f3b0510ee5cd04e1d277177cbce09a532b92714cfa02f5c9dcdbfbfd333b9ca9e5af8e2d697825104178535572c54a44f4084ef50009e7924ea5

memory/644-35-0x00000000008B0000-0x00000000008C2000-memory.dmp

memory/3320-36-0x0000000000D00000-0x0000000000ED4000-memory.dmp

memory/3848-34-0x0000000000400000-0x000000000060C000-memory.dmp

memory/3848-31-0x0000000000400000-0x000000000060C000-memory.dmp

memory/644-29-0x00007FFB80A33000-0x00007FFB80A35000-memory.dmp

memory/3320-37-0x00007FFB80A30000-0x00007FFB814F1000-memory.dmp

memory/3320-38-0x00007FFB80A30000-0x00007FFB814F1000-memory.dmp

memory/3320-39-0x00007FFB80A30000-0x00007FFB814F1000-memory.dmp

memory/644-40-0x00007FFB80A30000-0x00007FFB814F1000-memory.dmp

memory/3320-42-0x00000000015E0000-0x00000000015EE000-memory.dmp

memory/3320-44-0x0000000003010000-0x000000000302C000-memory.dmp

memory/3320-45-0x000000001BB60000-0x000000001BB7C000-memory.dmp

memory/3320-46-0x000000001BBD0000-0x000000001BC20000-memory.dmp

memory/3320-48-0x00000000015F0000-0x00000000015FE000-memory.dmp

memory/3320-50-0x0000000003070000-0x000000000307C000-memory.dmp

memory/644-51-0x000000001C790000-0x000000001C79E000-memory.dmp

memory/3320-52-0x00007FFB80A30000-0x00007FFB814F1000-memory.dmp

memory/3320-53-0x00007FFB80A30000-0x00007FFB814F1000-memory.dmp

memory/644-54-0x00007FFB80A30000-0x00007FFB814F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KC2Lq8pBKb

MD5 777045764e460e37b6be974efa507ba8
SHA1 0301822aed02f42bee1668be2a58d4e47b1786af
SHA256 e5eff7f20dc1d3b95fa70330e2962c0ce3fce442a928c3090ccb81005457cb0f
SHA512 a7632f0928250ffb6bd52bbbe829042fd5146869da8de7c5879584d2316c43fb6b938cc05941c4969503bfaccdec4474d56a6f7f6a871439019dc387b1ff9209

C:\Users\Admin\AppData\Local\Temp\K3D9v5NFpS

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Analysis: behavioral16

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

136s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4060 set thread context of 4340 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\MegVlau.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4060 -ip 4060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 788

Network

Country Destination Domain Proto
US 8.8.8.8:53 paleboreei.biz udp
US 172.67.181.243:443 paleboreei.biz tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 172.67.181.243:443 paleboreei.biz tcp
US 172.67.181.243:443 paleboreei.biz tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/4060-0-0x000000007454E000-0x000000007454F000-memory.dmp

memory/4060-1-0x00000000008E0000-0x000000000093C000-memory.dmp

memory/4060-2-0x00000000057B0000-0x0000000005D54000-memory.dmp

memory/4340-4-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4340-6-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4060-7-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/4340-8-0x0000000000400000-0x000000000045E000-memory.dmp

memory/4340-9-0x0000000000400000-0x000000000045E000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\gdcrsjl\qxgq.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\gdcrsjl\qxgq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\gdcrsjl\qxgq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\ProgramData\gdcrsjl\qxgq.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\gdcrsjl\qxgq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Q7t2AMs.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe

"C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\gdcrsjl\qxgq.exe

C:\ProgramData\gdcrsjl\qxgq.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5113 towerbingobongoboom.com tcp

Files

memory/4944-0-0x0000000000FC0000-0x000000000147D000-memory.dmp

memory/4944-1-0x0000000077A34000-0x0000000077A36000-memory.dmp

memory/4944-3-0x0000000000FC0000-0x000000000147D000-memory.dmp

memory/4944-2-0x0000000000FC1000-0x0000000000FEF000-memory.dmp

memory/4944-4-0x0000000000FC0000-0x000000000147D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 e3db5749715032f09380e2b83170df85
SHA1 5eba9270b0a48ffda040d10e08aef49acbb4452d
SHA256 0b7d45d489afd6e58928811ef8f1205be232299791f0011578e9ce688735aafe
SHA512 682cd0e0a9c915b6c7b0b95186c18536167059920abe8afd92efa7259f6a5d918a4e7a7da7c32f44bc62e6d16fd8988ea046a21429b83bbe37457fdf3e77e199

memory/4556-18-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4944-17-0x0000000000FC0000-0x000000000147D000-memory.dmp

memory/4556-19-0x0000000000291000-0x00000000002BF000-memory.dmp

memory/4556-20-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4556-22-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4556-21-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4416-24-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4416-25-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4416-26-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4416-27-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4416-28-0x0000000000291000-0x00000000002BF000-memory.dmp

memory/4556-29-0x0000000000290000-0x000000000074D000-memory.dmp

C:\Users\Admin\AppData\Roaming\10000160100\sounsaytums.exe

MD5 22b7fa9d7ece61a0e0a7a0e9b130e311
SHA1 00329bc46fab8e69da98e11894e7249fc4b5199f
SHA256 0acada86bfe4cbdc97544e147207bcee377948415acb32223fe6a69716591c8f
SHA512 cbc289aaf8a12863fc5d27443daea89e90045805b110eb2a4eabbfa2afb185651355dcffcb9a8188801786e2a07aa7198d31aba8d3bc4c2f8bcfea66033260b9

memory/4556-44-0x0000000000290000-0x000000000074D000-memory.dmp

memory/3044-45-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4556-48-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4556-49-0x0000000000290000-0x000000000074D000-memory.dmp

memory/3044-50-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4556-51-0x0000000000290000-0x000000000074D000-memory.dmp

memory/3044-52-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4556-53-0x0000000000290000-0x000000000074D000-memory.dmp

memory/3044-54-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4556-55-0x0000000000290000-0x000000000074D000-memory.dmp

memory/3044-56-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4556-57-0x0000000000290000-0x000000000074D000-memory.dmp

memory/3044-58-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4556-59-0x0000000000290000-0x000000000074D000-memory.dmp

memory/996-61-0x0000000000290000-0x000000000074D000-memory.dmp

memory/996-62-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4284-64-0x0000000000400000-0x0000000000846000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 490f36a0f5f29d2bd5b8e1d049106215
SHA1 7c5ebdb04d4a4fef2dae3f6060588814adf0fc55
SHA256 5b8cc019298d83d54dfd2985140dae75571ff3044a8d44121b280e44222e7771
SHA512 01ff641a692c7ba61bd463e2829b9f2b5c1668d3ca8a8c68236e8d50026e22075e9c59cdfd6aff0f93abfc82738a24b48378def1ffd5ab8f6614ea8dcd5a526e

memory/3044-67-0x0000000000400000-0x0000000000846000-memory.dmp

memory/3044-68-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4556-69-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4284-70-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4556-71-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4284-72-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4556-73-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4284-74-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4556-75-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4284-76-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4556-77-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4284-78-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4556-79-0x0000000000290000-0x000000000074D000-memory.dmp

memory/1772-81-0x0000000000290000-0x000000000074D000-memory.dmp

memory/1772-83-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4284-84-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4556-85-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4284-86-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4556-87-0x0000000000290000-0x000000000074D000-memory.dmp

memory/4284-88-0x0000000000400000-0x0000000000846000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar family

vidar

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3196 set thread context of 3728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133849959703902055" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3196 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3196 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 3728 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3728 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 4076 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 4076 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3972 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 3920 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 844 wrote to memory of 2096 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3196 -ip 3196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 816

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc1210cc40,0x7ffc1210cc4c,0x7ffc1210cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2020,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2016 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2064 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1916,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1932 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3184 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4524 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4268,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4544 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4780 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4816 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5032,i,10671085103130990768,17841104921125912884,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4772 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc121146f8,0x7ffc12114708,0x7ffc12114718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,364002511346551316,13148270459247627470,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,364002511346551316,13148270459247627470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,364002511346551316,13148270459247627470,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2084,364002511346551316,13148270459247627470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2084,364002511346551316,13148270459247627470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2084,364002511346551316,13148270459247627470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2084,364002511346551316,13148270459247627470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\cbsjw" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 11

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 d.4ttechnology.com udp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 2.23.210.82:80 e5.o.lencr.org tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
US 8.8.8.8:53 clients2.google.com udp
NL 142.251.36.46:443 clients2.google.com tcp
US 8.8.8.8:53 www.google.com udp
NL 172.217.168.196:443 www.google.com udp
NL 172.217.168.196:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
NL 216.58.214.10:443 ogads-pa.googleapis.com udp
NL 172.217.168.206:443 apis.google.com udp
NL 216.58.214.10:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9223 tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
N/A 127.0.0.1:9223 tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 13.89.179.12:443 nw-umwatson.events.data.microsoft.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp
DE 116.203.10.65:443 d.4ttechnology.com tcp

Files

memory/3196-0-0x00000000744FE000-0x00000000744FF000-memory.dmp

memory/3196-1-0x0000000000E40000-0x0000000000E6C000-memory.dmp

memory/3196-2-0x0000000005CE0000-0x0000000006284000-memory.dmp

memory/3728-4-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-6-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3196-7-0x00000000744F0000-0x0000000074CA0000-memory.dmp

memory/3728-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-16-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-21-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-22-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-25-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-29-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-30-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-34-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-35-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-36-0x0000000000400000-0x0000000000429000-memory.dmp

\??\pipe\crashpad_844_WTVQKYFDWLVQUQWK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/3728-71-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 47a1175ace396690874c083b24db5969
SHA1 dbd4bba11202a089b9624aa24a51b06f8d7d0a70
SHA256 f6ad7e8441b382372083e2a6c9169ee01ffbfe4cd5a081c74f2916d26322c8f5
SHA512 83874d49b54f7aed99f10b1ab152d0e8313f03cc7a16646f06ccc6162732e9096cd1dcf13e69a940b4c91bb50e91b09fbfccd62042939456b80465d0b211359f

memory/3728-80-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-81-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-82-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-83-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f09c5037ff47e75546f2997642cac037
SHA1 63d599921be61b598ef4605a837bb8422222bef2
SHA256 ba61197fff5ed487084790b869045ab41830bdf6db815503e8e064dd4e4df662
SHA512 280bff6eac4b2b4fe515696223f61531f6b507c4c863ad9eef5ab0b1d65d264eba74fb7c9314b6920922142b8ab7605792211fca11a9a9ef0fc2ae995bf4f473

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 010f6dd77f14afcb78185650052a120d
SHA1 76139f0141fa930b6460f3ca6f00671b4627dc98
SHA256 80321891fd7f7c02dd4be4e5be09f8e57d49e076c750f8deb300be8f600de2d7
SHA512 6e6c9e348e948b946cfb97478698423e1272c4417bc8540e5daa64858e28be8fda5baf28538aee849f8bb409c17a51c60e48a3f1793e3a86cb27edeb32aa30a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\13a3abfb-46ea-4ae5-bbf3-1b5a60521241.tmp

MD5 86403f46ebf73a60f18c324fc9c524ec
SHA1 f971708e838b0df878bffc8cf38b63207904ab5d
SHA256 d840aacbe986a0164c321b39e63718f92329b0114eb366f4e3395a68eff3c573
SHA512 93abaa3daca3e84c323e4a916e998c86a397d15cf4aff54726f98d88652dbae962a07c852ea72d2740b441f421f37d6df64f53eb6761501ed7d51d78f4f53e20

memory/3728-114-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-115-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-118-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-119-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-123-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-124-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-128-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-129-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-133-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-136-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-137-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-138-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-142-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-143-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-149-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-150-0x0000000000400000-0x0000000000429000-memory.dmp

memory/3728-151-0x0000000000400000-0x0000000000429000-memory.dmp

C:\ProgramData\cbsjw\srq9hl

MD5 3919fa77c6b2c8f967912d0cf26a4d95
SHA1 15d4474682bc23a090b8c842a6f715073dd8d00f
SHA256 05a5c959c38e6370bcc6cadf517209e4d9ea93d3216633568a60ead6fe96e9a7
SHA512 9b4c9a7bdfee674631df1095490afb5ab159ebd2dd8afe5a77afadf250355e785cdc091c6108d9fba0e280f305d0a8acfb557d91d60e21057316de40aca550f3

memory/3728-154-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

92s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\0iMSdYX.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\nahprot.bat" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -windowstyle hidden -command "Start-Process -FilePath 'C:\Users\Admin\AppData\Roaming\nahprot.bat' -ArgumentList 'gOsYxjsoymkBmrzpQYy' -WindowStyle Hidden"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\nahprot.bat" gOsYxjsoymkBmrzpQYy "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe "if ((Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty Model | findstr /i 'WDS100T2B0A') -and (-not (Get-ChildItem -Path F:\ -Recurse | Where-Object { -not $_.PSIsContainer } | Measure-Object).Count)) {exit 900} else {exit 1}"

C:\Windows\system32\findstr.exe

"C:\Windows\system32\findstr.exe" /i WDS100T2B0A

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1212-0-0x00007FFFADEF3000-0x00007FFFADEF5000-memory.dmp

memory/1212-1-0x0000000000FE0000-0x0000000001A0E000-memory.dmp

C:\Users\Admin\AppData\Roaming\nahprot.bat

MD5 4eb348c6ecbb8c6e4c5543fc254ce626
SHA1 f24923fcd2bb9148270e08622fa6c1079aa81fe1
SHA256 f1a5969e8b42932f80dc6e74d3301f120cba27a0b27ba2c92ebef7539a89e633
SHA512 69b48d17bd205092d3cf3c856ce3920b922f2b701294299b9097613b74acce3d8b866f96557ba532b973f6b321b1705251feb9f85af2edf54aa75c032fae878f

memory/3904-13-0x000002871D800000-0x000002871D822000-memory.dmp

memory/3904-17-0x00007FFFADB70000-0x00007FFFAE631000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l141uqv2.eas.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3904-18-0x00007FFFADB70000-0x00007FFFAE631000-memory.dmp

memory/3904-19-0x00007FFFADB70000-0x00007FFFAE631000-memory.dmp

memory/3904-22-0x00007FFFADB70000-0x00007FFFAE631000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Analysis: behavioral5

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20240729-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe"

Signatures

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1740 set thread context of 2460 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe
PID 1740 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe
PID 1740 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe
PID 1740 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe
PID 1740 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe
PID 1740 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe
PID 1740 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe
PID 1740 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe
PID 1740 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe
PID 1740 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe
PID 1740 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Windows\SysWOW64\WerFault.exe
PID 1740 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Windows\SysWOW64\WerFault.exe
PID 1740 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Windows\SysWOW64\WerFault.exe
PID 1740 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\8NsQP4U.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 500

Network

Country Destination Domain Proto
US 8.8.8.8:53 pirtyoffensiz.bet udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 172.67.216.4:443 hobbyedsmoker.live tcp
US 172.67.216.4:443 hobbyedsmoker.live tcp
US 172.67.216.4:443 hobbyedsmoker.live tcp

Files

memory/1740-0-0x000000007468E000-0x000000007468F000-memory.dmp

memory/1740-1-0x00000000011E0000-0x00000000012B6000-memory.dmp

memory/1740-2-0x0000000074680000-0x0000000074D6E000-memory.dmp

memory/2460-13-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2460-19-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1740-18-0x0000000074680000-0x0000000074D6E000-memory.dmp

memory/2460-17-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2460-15-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2460-12-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2460-10-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2460-8-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2460-6-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2460-4-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2460-20-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1740-21-0x0000000074680000-0x0000000074D6E000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20240903-en

Max time kernel

121s

Max time network

127s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\quarantine\DeX17Gw.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI7B0D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7BCA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7C57.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f777a03.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7DCE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f777a03.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f777a00.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f777a00.msi C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 2900 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2688 wrote to memory of 2900 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2688 wrote to memory of 2900 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2688 wrote to memory of 2900 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2688 wrote to memory of 2900 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2688 wrote to memory of 2900 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2688 wrote to memory of 2900 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\quarantine\DeX17Gw.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005CC" "000000000000005C"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 85A4A1DF0027295303D0DBA74224C47D

C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe

"C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\Cab7A8D.tmp

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar7AED.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

\Windows\Installer\MSI7B0D.tmp

MD5 fbc6ccca9154d017d647938190e4ad8d
SHA1 e753f1511f27427616e98762ba2f45d67c3d90d4
SHA256 d0c9f193d5fb108035c24cd16495d8471295c8ae4a507cc939dcd3c31ed70836
SHA512 d72a7b6be718e09b0b6b2a6c32888fb29bbe34d34d1965cce017162224db20d4badaae507244e16e7a72b84a15139fc9cb6ea703925666906f73420684e0d49d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d4eac348875fc86de13e9f97cc5fefb
SHA1 3f161725b3319903ebe43f2d9237cbb011c28971
SHA256 fcf62c342a146c5c05b466b90b55805ef82a6acdb865ee1766bf153991b5c251
SHA512 8f39cc2a3f0fee1138e5120a377b113a4ad05602500f3efabf021319d162f7acc679c16ddec9e5571a9efa785efd7939fcc229d04742e33a7c1bb6ac0baa81a7

C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe

MD5 83d265901f1be93c303b7b8741fd7152
SHA1 f67cdd4dac204e1312c194172807cbf01d1533a2
SHA256 4f16406f50cbe21dca89bdfefe2f37277e87991adf21afca6c5a7e707eb8fdcf
SHA512 edab01a53fe3f120333c6884f01ae6427aa4b5e9a7af44260a3c52f6ce49bf73641299cecde423554983218314e4bd412b55dfc0812f694aa0dc91fc34999d77

C:\Config.Msi\f777a04.rbs

MD5 38b348ef6f0f8f403cd991f3e733ecd9
SHA1 c3c5545b77a979f9d4601a0369650f063c7600a0
SHA256 fac4a65e74fcf805c07181198442eb9aea50da272e749209acdd49466b46c762
SHA512 a7fb7e1a77888cbd4acb5fac6b7a0a6d502dd4323580011224a34c62eda8928971a6fd8a0ac14244160b8a856bfd48ac5b14e8f82a509f7821cd44d054dc270d

Analysis: behavioral10

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

145s

Max time network

146s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\quarantine\DeX17Gw.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{55F95064-5419-481D-8C36-B97E94F0FDB0} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB73E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57b40e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57b40e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB4B9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB5D4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB652.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB662.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000af481e24cb2ccf490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000af481e240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900af481e24000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1daf481e24000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000af481e2400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\quarantine\DeX17Gw.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F5258B7A8F25D512209756B5E488D032

C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe

"C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Windows\Installer\MSIB4B9.tmp

MD5 fbc6ccca9154d017d647938190e4ad8d
SHA1 e753f1511f27427616e98762ba2f45d67c3d90d4
SHA256 d0c9f193d5fb108035c24cd16495d8471295c8ae4a507cc939dcd3c31ed70836
SHA512 d72a7b6be718e09b0b6b2a6c32888fb29bbe34d34d1965cce017162224db20d4badaae507244e16e7a72b84a15139fc9cb6ea703925666906f73420684e0d49d

\??\Volume{241e48af-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ec428f4a-0ca4-4e1c-8106-2c037f1fbcdd}_OnDiskSnapshotProp

MD5 d60bf153f50b4a33a1522d7ae5ecf38c
SHA1 0ac489cfd61a32981b28ca3808310e290db8e063
SHA256 30568b29697d37a6824492864eaa08da9719088d26b9b026a5c625950ec99465
SHA512 1d1bbd4cbd1c9bafc548e425c756f375aad69b0230f56905e439ffe5b00fe96e55befe0eec52e6bfebc8c5b2c15c01e6e25cfdfdba48b3ee408572fe63d2d895

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 b0d48e474c35658999a0685f2d754b84
SHA1 dfd80ebe2f732c4aea40dafe72d4e4743aa9f9ce
SHA256 b93bfccfeeb6e64bc702ec5ba8819628d4c37ba0ed96abf5be4a62822187f32e
SHA512 dc0d5fa67ee32751047cfde9bdf3f7ec454bb69b557cb8a0bf5a753a6ee5aa3e22dca2ba9742aebfdefe762457bda4cc91b81a4b697c1dfad9aebba09058bf5c

C:\Config.Msi\e57b411.rbs

MD5 e468200c883e319a847ab333976a66c0
SHA1 c75199efba67c2599892421551c38c6e5803549c
SHA256 b5f73cbaf8b284530c4b98c1ba0f17d7c9127c97be515b910ccab1205e9da04c
SHA512 3850f0d35b298a4fc9f4a122d8bc6d130f79abaa3795f54eb19b6505ec06626e2e003193e07f1fa01ddb3ce6cfbdc89416e0ada4aa9e958540d34cc35e1c868b

C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\ipconfig.exe

MD5 83d265901f1be93c303b7b8741fd7152
SHA1 f67cdd4dac204e1312c194172807cbf01d1533a2
SHA256 4f16406f50cbe21dca89bdfefe2f37277e87991adf21afca6c5a7e707eb8fdcf
SHA512 edab01a53fe3f120333c6884f01ae6427aa4b5e9a7af44260a3c52f6ce49bf73641299cecde423554983218314e4bd412b55dfc0812f694aa0dc91fc34999d77

C:\Users\Admin\AppData\Roaming\Public Company\Public Software Installer\dhcpcsvc.DLL

MD5 1689d3fbe3ed4bcb9074ae6082b5152d
SHA1 4f74fd2cbe57244a34b39faacc4aad587059b31e
SHA256 d955d0a255078fed07efd6ea5433c01ad966c77991a765aa8d202010879134c6
SHA512 c3c382a665cae7c3da068081550855f6018713c944073e430565c25c953ae0f71829025e72b27f2798e04416c3651daea573e147a773cf2b8e016dd4cd6cf585

memory/2220-139-0x0000000002320000-0x000000000292B000-memory.dmp

memory/2220-141-0x0000000003960000-0x0000000003F6B000-memory.dmp

memory/2220-140-0x0000000003960000-0x0000000003F6B000-memory.dmp

memory/2220-142-0x0000000074780000-0x00000000756B9000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20240903-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe N/A

Reads user/profile data of local email clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\bgUvqLl.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 embarkiffe.shop udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 104.21.78.43:443 hobbyedsmoker.live tcp
US 104.21.78.43:443 hobbyedsmoker.live tcp
US 104.21.78.43:443 hobbyedsmoker.live tcp

Files

memory/2380-0-0x0000000001240000-0x0000000001549000-memory.dmp

memory/2380-1-0x0000000077370000-0x0000000077372000-memory.dmp

memory/2380-2-0x0000000001241000-0x000000000126B000-memory.dmp

memory/2380-3-0x0000000001240000-0x0000000001549000-memory.dmp

memory/2380-4-0x0000000001240000-0x0000000001549000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

104s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\rA6Gys9.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\rA6Gys9.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\rA6Gys9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/212-0-0x0000000000B00000-0x0000000000D25000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20250207-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\Cv5YtUn.exe"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\Cv5YtUn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\Cv5YtUn.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Cv5YtUn.exe"

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20240903-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\bvts\vsqo.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\bvts\vsqo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\bvts\vsqo.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\bvts\vsqo.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\ProgramData\bvts\vsqo.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A
N/A N/A C:\ProgramData\bvts\vsqo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\bvts\vsqo.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A
N/A N/A C:\ProgramData\bvts\vsqo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 2572 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\bvts\vsqo.exe
PID 2624 wrote to memory of 2572 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\bvts\vsqo.exe
PID 2624 wrote to memory of 2572 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\bvts\vsqo.exe
PID 2624 wrote to memory of 2572 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\bvts\vsqo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {786B5192-4D60-4AF8-9257-2A1E8B4E4A68} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]

C:\ProgramData\bvts\vsqo.exe

C:\ProgramData\bvts\vsqo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5110 towerbingobongoboom.com tcp

Files

memory/2244-0-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2244-1-0x00000000777D0000-0x00000000777D2000-memory.dmp

memory/2244-2-0x0000000000401000-0x0000000000403000-memory.dmp

memory/2244-4-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2244-6-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2244-7-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2244-8-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2244-9-0x0000000000400000-0x0000000000846000-memory.dmp

C:\ProgramData\bvts\vsqo.exe

MD5 77c6d4944106ec80bb717043741b57da
SHA1 aa1550acb66847744e99ee1181d8a7c9035f1339
SHA256 686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80
SHA512 b2d7b47a95dafb732d65b7af2131ceb0b60c950c29697f4c07ff21381599558990fa03a9b8fc7dfe1d96787f6adce90b4b916c71cf2f4f32c4b070aae7fcd16a

memory/2572-12-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-13-0x0000000000400000-0x0000000000846000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 d7378aeab567869510665c70d9f74917
SHA1 42642dd5f115e6885b0a9a1fe38bbf6814dad254
SHA256 3d613854f3db162dea3df4007b240f5b69874222d62ba38f96e98736a44f4adb
SHA512 adba346eb9f275300cc33d0a76a04314da25cb1bef726786b74f94a0c74c7ebf05e8f922d93192486811a1d8e67db88d703093d01d48ecec4e4ac503561e6f12

memory/2572-15-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-16-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-17-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2244-18-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-19-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-20-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2244-21-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-22-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2244-23-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-24-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2244-25-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-26-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2244-27-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-29-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-31-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-32-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-33-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-34-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-35-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-36-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-37-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-38-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2572-39-0x0000000000400000-0x0000000000846000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20241010-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

Vidar family

vidar

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2848 set thread context of 1372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies system certificate store

defense_evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe
PID 2848 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2848 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2848 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Windows\SysWOW64\WerFault.exe
PID 2848 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Windows\SysWOW64\WerFault.exe
PID 1372 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1372 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1372 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1372 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2992 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\ctfmon.exe
PID 1508 wrote to memory of 2808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\ctfmon.exe
PID 1508 wrote to memory of 2808 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\system32\ctfmon.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1508 wrote to memory of 2576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\q3na5Mc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 508

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6589758,0x7fef6589768,0x7fef6589778

C:\Windows\system32\ctfmon.exe

ctfmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1512 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2312 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2340 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1388 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1316 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3488 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3612 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3724 --field-trial-handle=1372,i,12604981358356096651,2044789276608903448,131072 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\2ngdj" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 11

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.123.95.227:443 steamcommunity.com tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
US 8.8.8.8:53 www.google.com udp
NL 172.217.168.196:443 www.google.com tcp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
NL 216.58.208.106:443 ogads-pa.googleapis.com tcp
NL 172.217.168.206:443 apis.google.com tcp
NL 216.58.208.106:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
N/A 224.0.0.251:5353 udp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
N/A 127.0.0.1:9223 tcp
N/A 127.0.0.1:9223 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp
DE 159.69.100.232:443 159.69.100.232 tcp

Files

memory/2848-0-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

memory/2848-1-0x00000000001C0000-0x00000000001EC000-memory.dmp

memory/1372-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-13-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1372-9-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-7-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-8-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-6-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-5-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-15-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-4-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-3-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2848-16-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/1372-17-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar7F26.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbbbd8aee2a291de2aca7e2b83dc4300
SHA1 dd8a76a186a8218d6be14c2115e0399e0fc029a7
SHA256 eb634e1b1642bb87f72ca27ffe19565a6640d758eeeb0576135933f9bdb28d5c
SHA512 f2cd4b8363840b95c564b22eb2dd0fa1a073811a68d9fac74d9ff1be6c9aaaef250adbb921f1fab0a252842e59527a4ef09bd611348e507254583f2a1b28fea2

memory/1372-165-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-186-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-191-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-212-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-215-0x0000000000400000-0x0000000000429000-memory.dmp

memory/2848-216-0x0000000073EF0000-0x00000000745DE000-memory.dmp

memory/1372-240-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-264-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-265-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-266-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-291-0x0000000000400000-0x0000000000429000-memory.dmp

\??\pipe\crashpad_1508_JCTSRLKFSRCWNWGA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/1372-362-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-365-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-408-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-409-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-431-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-452-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-493-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-514-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-515-0x0000000000400000-0x0000000000429000-memory.dmp

memory/1372-578-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\rA6Gys9.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\rA6Gys9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\rA6Gys9.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\rA6Gys9.exe"

Network

N/A

Files

memory/808-0-0x0000000000260000-0x0000000000485000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20240903-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Xworm family

xworm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\iWCLKpajPR.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2980 set thread context of 2652 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\iWCLKpajPR.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 2980 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 2980 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 2980 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 2980 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 2980 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 2980 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 2980 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 2980 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 2980 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 2980 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe
PID 2980 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Windows\SysWOW64\WerFault.exe
PID 2980 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Windows\SysWOW64\WerFault.exe
PID 2980 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Windows\SysWOW64\WerFault.exe
PID 2980 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Windows\SysWOW64\WerFault.exe
PID 2652 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Roaming\iWCLKpajPR.exe
PID 2652 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Roaming\iWCLKpajPR.exe
PID 2652 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Roaming\iWCLKpajPR.exe
PID 2652 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Roaming\iWCLKpajPR.exe
PID 2652 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe
PID 2652 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe
PID 2652 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe
PID 2652 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe"

C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\JhOTKwS.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 524

C:\Users\Admin\AppData\Roaming\iWCLKpajPR.exe

"C:\Users\Admin\AppData\Roaming\iWCLKpajPR.exe"

C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe

"C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe"

Network

Country Destination Domain Proto
GB 37.235.55.68:1987 tcp
RU 194.87.99.40:80 194.87.99.40 tcp
RU 194.87.99.40:80 194.87.99.40 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
RU 194.87.99.40:80 194.87.99.40 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

memory/2980-0-0x0000000073F1E000-0x0000000073F1F000-memory.dmp

memory/2980-1-0x00000000012F0000-0x0000000001504000-memory.dmp

memory/2652-3-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2652-9-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2652-8-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2652-16-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2652-7-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2652-6-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2652-5-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2980-15-0x0000000073F10000-0x00000000745FE000-memory.dmp

memory/2652-14-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2652-13-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2652-12-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2652-4-0x0000000000400000-0x000000000060C000-memory.dmp

\Users\Admin\AppData\Roaming\iWCLKpajPR.exe

MD5 8522913829a30ad563871e12fdd07707
SHA1 6d4fc1b91909a5b267e4cd4f581068fe77e44e6f
SHA256 dcb40abf5ad8a692a62ac722866eb14664d7951b1fa9498091d46a0af0b6813c
SHA512 3fe8eb66c3273a743f97293306cf1eaf30264b6fa187af62d6db533335691867eee51a206341c1b97ec6fd59d6d2c99f44e4958e869e98b9f62bc8a56074f80f

memory/2652-33-0x0000000000400000-0x000000000060C000-memory.dmp

C:\Users\Admin\AppData\Roaming\SNOEoANfJ3.exe

MD5 4761ea2568c231143ed81463fdf8e01d
SHA1 6c821733e1487e79499e374b97464de323a9be5c
SHA256 37f54e6b882a55e2b461807c3d82eef458a92b3a0eb509096777d3a75e074e7e
SHA512 542dd6e12402f3b0510ee5cd04e1d277177cbce09a532b92714cfa02f5c9dcdbfbfd333b9ca9e5af8e2d697825104178535572c54a44f4084ef50009e7924ea5

memory/2652-31-0x0000000000400000-0x000000000060C000-memory.dmp

memory/2784-34-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

memory/2608-35-0x00000000011B0000-0x0000000001384000-memory.dmp

memory/2608-37-0x0000000000410000-0x000000000041E000-memory.dmp

memory/2608-42-0x0000000000420000-0x000000000042E000-memory.dmp

memory/2608-44-0x0000000000460000-0x000000000046C000-memory.dmp

memory/2608-40-0x0000000000440000-0x000000000045C000-memory.dmp

memory/2608-39-0x0000000000460000-0x000000000047C000-memory.dmp

memory/2980-45-0x0000000073F10000-0x00000000745FE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 83142242e97b8953c386f988aa694e4a
SHA1 833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256 d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512 bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

C:\Users\Admin\AppData\Local\Temp\Tar26F8.tmp

MD5 109cab5505f5e065b63d01361467a83b
SHA1 4ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256 ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512 753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

C:\Users\Admin\AppData\Local\Temp\qOHqs19ozf

MD5 ae2cd96016ba8a9d0c675d9d9badbee7
SHA1 fd9df8750aacb0e75b2463c285c09f3bbd518a69
SHA256 dd0ea2f02d850df691183602f62284445e4871e26a61d9ea72ff1c23c0b0ba04
SHA512 7e0e86980b7f928ea847a097545fa07b0c554617768760d4db9afe448568b97d1536a824b7a1b6c1f3fb1bf14153be07ef32676f878fb63a167d47e3136b5d1d

Analysis: behavioral21

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20240903-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\Yg1HwMX.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 856

Network

Country Destination Domain Proto
US 8.8.8.8:53 dsfljsdfjewf.info udp
US 8.8.8.8:53 uncertainyelemz.bet udp
US 8.8.8.8:53 hobbyedsmoker.live udp
US 172.67.216.4:443 hobbyedsmoker.live tcp

Files

memory/1992-1-0x00000000000F0000-0x000000000014E000-memory.dmp

memory/1992-0-0x0000000000F00000-0x0000000000F02000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\jsat\ucjskcd.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\jsat\ucjskcd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\jsat\ucjskcd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\jsat\ucjskcd.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine C:\ProgramData\jsat\ucjskcd.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A
N/A N/A C:\ProgramData\jsat\ucjskcd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\jsat\ucjskcd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\netdriver.exe"

C:\ProgramData\jsat\ucjskcd.exe

C:\ProgramData\jsat\ucjskcd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5112 towerbingobongoboom.com tcp

Files

memory/4956-0-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4956-1-0x0000000077D34000-0x0000000077D36000-memory.dmp

memory/4956-3-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4956-2-0x0000000000401000-0x0000000000403000-memory.dmp

memory/4956-6-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4956-7-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4956-8-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4956-9-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4956-10-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4956-11-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4956-12-0x0000000000400000-0x0000000000846000-memory.dmp

C:\ProgramData\jsat\ucjskcd.exe

MD5 77c6d4944106ec80bb717043741b57da
SHA1 aa1550acb66847744e99ee1181d8a7c9035f1339
SHA256 686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80
SHA512 b2d7b47a95dafb732d65b7af2131ceb0b60c950c29697f4c07ff21381599558990fa03a9b8fc7dfe1d96787f6adce90b4b916c71cf2f4f32c4b070aae7fcd16a

memory/4680-15-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4680-16-0x0000000000400000-0x0000000000846000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 f428af2c82d982ba35a8155a1542a94e
SHA1 66e829251e65ffadb159ce67b7255db97bda306b
SHA256 827a3199ac9ec51fade8ee872cfd5a529716de8257b523da89596b147ab878ff
SHA512 9e8482e22904050344b577a3620534aaba73a1d7b9f8d7f3a5cfbbd60d203f64ec883c50fe1c26c24a02780bab4eff8f571e28b15f48c820a721225f3aeed86a

memory/4680-18-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4956-19-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4680-21-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4680-22-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4680-23-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4680-24-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4680-25-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4680-26-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4680-27-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4680-28-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4680-29-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4680-30-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4680-31-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4680-32-0x0000000000400000-0x0000000000846000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2025-02-25 22:21

Reported

2025-02-25 22:28

Platform

win7-20250207-en

Max time kernel

122s

Max time network

127s

Command Line

C:\Windows\Explorer.EXE

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\baabdababbec = "\"C:\\ProgramData\\baabdababbec.exe\"" C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe

"C:\Users\Admin\AppData\Local\Temp\quarantine\pwldr.exe"

Network

N/A

Files

memory/2096-0-0x000000013F7F0000-0x000000013F88F000-memory.dmp

memory/1216-1-0x0000000004D60000-0x0000000004E05000-memory.dmp

memory/1216-2-0x0000000004D60000-0x0000000004E05000-memory.dmp

memory/1216-7-0x0000000004D60000-0x0000000004E05000-memory.dmp

memory/2096-6-0x000000013F7F0000-0x000000013F88F000-memory.dmp